User Rights in Domain

[Clayton]

Hello,
I am trying to find/figure out a way to allow a standard
Domain User, install rights within the Domain.
This user can not be a Domain Admin, or belong to the
Administrators Group in the Domain but needs to be able to
install programs to PC's within the Domain without being a
Local Admin to every PC in my Domain.
Please take a stab at this...due to Sarbanes Oxley
compliance within our Organization we have to eliminate
all people that have Administrative rights within the
Domain that are accounts that are not needed as such.

 

[smooredhs]

I thought you could put them within the Power Users group of each PC to do
this.

 

[Clayton]

Well if you read the below it states that I do not want to
have to go to all PC's in order to allow local access and
Power Users are local to PC's ...not Domains...

 

[Cary Shultz [A.D. MVP]]

Clayton,

I think that what he was suggesting was that you use the Restricted Groups
GPO so that you do not have to go to each and every computer! What you can
do is to make the Domain Users group - via this GPO - a member of the local
Power Users group ( by default, the Domain Users group is a member of the
local Users group on each system ) on each WIN2000 and/or WINXP Pro system.
All you would need to do is to follow the following MSKB Article:

http://support.microsoft.com/?id=320065

All you would use the Power Users local group instead of the Administrators
local group. This will allow some software to be installed ( as well as
print drivers ). However, it is probably not going to solve all of the
issues.

I am not sure that I understand what you mean by "a standard Domain User
install rights within the domain". I take it that you want regular user
account objects to be able to log on to any workstation ( and -NOT- any
Servers ) and install software. You might want to rethink this if I am
reading you correctly. This will allow the users to install a lot of
garbage software on their systems ( like Hotbar and Gator and Weatherbug,
etc. ) that will cause a lot of problems.

But, hey, you are the boss in your environment. I just want you to have as
many facts as possible. Most experienced Sys Admins do not allow this in
their environment. Too many variables that will result in you spending a
lot of time doing Help Desk tasks.

HTH,

Cary

 

[smooredhs]

We use a product called User Manager Pro to push out mass changes
like this to PC's and servers. I've had to avoid the Restricted Groups GPO
only because
I understand that it overlays completely whatever is in the PC's local
administrator group. Some staff have been given administrator rights over
their PC's, so this would just wipe that out. I hope in the future there is
a
way to apply this in only an additive way.

Steve

 

[Cary Shultz [A.D. MVP]]

Okay,

However, there was a patch to the 'normal' processing of the Restricted
Groups GPO. You would have to call MS-PSS and make sure that you get both
the WIN2000 and WINXP versions. Simply install this patch to each system
and then make user of Restricted Groups and whatever is already there stays!
You simply add the security group that you designate to the local group of
your focus. Too bad that you spent money on an application that might not
have been necessary. Does it do anything else that justifies the cost (
opps, there I go again assuming that you paid for this software; there is
such a thing as freeware and shareware! ).

Here is the link to the update that modifies the behavior of the Restricted
Groups:

http://support.microsoft.com/?id=810076

HTH,

Cary

 

[Clayton]

Ok
Let me clarify...
Due to Sarbanes Oxley, I have been tasked to remove any
current Domain Admin from that group, however the 2 people
in concern need to be able to continue doing their jobs as
they are with Domain Admins rights due to a project they
are currently working on.
The 2 of them are going to need to be able to nstall
programs on local PC's within the domain without much in
the lines of obstruction...
I would never want everyone to have the ability to install
programs in this domain....only the 2. ( I want to comment
on this later as well)
Now then, in most situations you have to be a Local Admin
or as mentioned, a Power User to do these tasks on the
Domain PC's.
I will research the option that Cary has produced as well
as the software smooredhs has mentioned.
Now then as mentioned above in reference to the fear of
all users installing programs...I have in the past posted
this as a concern...meaning I wanted to find a way to keep
Domain Users from installing any program on their local
PC's. Currently I have found users that can do so?...so I
ask..what can I do (in group policy) to prevent this?
Now then, knowing this, also know that due to some CAD
programs in our Domain, the local users of this program
MUST be Power Users to run it. I have contacted these
vendors and have had no luck in finding a way around it,
so in saying that again, how can I prevent all users from
installing any program they can find from the internet or
otherwise? I did come across a GP that keeps them from
downloading but in the same breath we have contracts with
companies that require use to go to their web sites and
download PDF's and such, which in that case keeps them
from doing their jobs.
I have several OU's that for the most part I can segregate
and apply GP's separatly but in most cases people even
though in different OU's do the same type jobs and access
the same web sites for downloads....errr!
Does this help?
Thanks a Bunch

 

[Cary Shultz [A.D. MVP]]

Clayton,

I your domain user account objects need to be members of the local Power
Users to run the various CAD programs then it looks like you have a dilemma.
I would guess that they would need to be members of that local Group. This,
on the other hand, poses a problem for you in that you do not want your
users to be able to install software! As a member of the local Power Users
group they are able to install a lot of software.

One thing that you might want to explore is sysmon and regmon from
http://www.sysinternals.com. These two small applications will monitor
where failures are taking place ( specific directories or registry entries )
so that you can give the user the required permissions for that one folder
or registry entry. I do not know how involved that would be for you. It is
usually a trial and error thing so you might need a bit of time to tweak it
so that it is just right. And you will want to document this completely!
There is nothing more painful than reinventing the wheel again and again and
again!

As to making it impossible ( or, at least, more difficult ) you might want
to look at Software Restriction Policy. This will allow you, the Sys Admin,
to deny a whole bunch of executables ( but they can be renamed by the
users! ).

Here are some links:

http://support.microsoft.com/?id=324036
http://support.microsoft.com/?id=310791

http://www.microsoft.com/resources/...standard/proddocs/en-us/SRP_create_policy.asp

http://www.windowsecurity.com/articles/windows_2003_restriction_policies_security.html

Please note that these articles focus on WIN2003 and WIN XP Pro. You have
not specified what NOS you are using. I have been operating under the
impression that it was WIN2000 on the Server side and WIN2000/WIN XP Pro on
the Client side. I should have asked earlier..

Also know that you can use NTFS permissions to help abate this problem.
Lock down the C: and C:\Program Files so that 'Domain Users' simply have
read access. Please note that there would not be any share permissions
needed ( well, for starters, you are not sharing those folders and,
secondly, share permissions do not play any factor when accessing the shared
resource locally ).

HTH,

Cary

 

[smooredhs]

Good to know, thanks. We are close to phasing out all our NT4 workstations
so
this might be viable. A GPO based solution is of interest because it
enforces the settings
automatically vs. this other product which has to be manually pushed while
the PC is on.

The utility was still helpful however in our migration to AD. As we
consolidated domains,
we needed to give individual LAN Administrators admin rights over the PC's
they support, without
them having to rely upon the local administrator account or having Domain
Admin rights.
For example, for program area XYZ we could put a group called XYZ-PCAdmins
into the
local administrators group of all computers starting with XYZ (due to naming
conventions already in place).
The other useful ability is you can have it go out and reset the local
administrator account passwords
on a selected group of PC's in batch mode. I'm not sure what other
solutions exist for changing
these on a broad basis, has anyone else dealt with this?

Steve

 

[Cary Shultz [A.D. MVP]]

Steve,

It is called cusrmgr. This is a neat tool. You can change the local Admins
password on the target systems with this utility.

And I actually do know the company that sells this software. I just had a
brain f@rt last night. I used to work at 9100 Wilshire so these guys were
just across the street from us.

It does look like they might have some neat tools but most of the stuff that
I saw last night is stuff that can be done with AD anyway. It is just a
matter of knowing what tool is used to do what. Their package really
simplifies that. Not sure that I would want to spend $500 for it but it
does put everything in one nice place ( vs. having to know about 15
different utilities and how to use them ).

Cary

 

[Clayton]

Yes you are right, sorry..I am running Win2000 AD....