Windows 2003 User rights.

  • Thread starter Thread starter drkc
  • Start date Start date
D

drkc

I've got a user that happens to be a general manager for a client and he is
demanding the ability to install software on his system while logged in with
his username.

I don't want to give him that ability but wanted to ask here if there is
*any way* to give him that level of access 'safely'. I don't think there is
so I bow to any experts here that can show me the light.

I've been told our support contract hangs in the balance so I really want to
be right if we have to go over his head.

What started this was him getting a Treo and not being able to install the
software 'right now without all this administrator B.S.'

Thanks for any assistance.

It's Monday the 13th of August. I'd like to have something to present
tomorrow.

Thank you!
 
Hi,

Can you be a little more specific about the setup i.e. are you working in an
AD environment?


"drkc" <drkc@discussions.microsoft.com> wrote in message
news:D531E279-C5A5-42FD-B944-EDF05FDC7362@microsoft.com...
> I've got a user that happens to be a general manager for a client and he
> is
> demanding the ability to install software on his system while logged in
> with
> his username.
>
> I don't want to give him that ability but wanted to ask here if there is
> *any way* to give him that level of access 'safely'. I don't think there
> is
> so I bow to any experts here that can show me the light.
>
> I've been told our support contract hangs in the balance so I really want
> to
> be right if we have to go over his head.
>
> What started this was him getting a Treo and not being able to install the
> software 'right now without all this administrator B.S.'
>
> Thanks for any assistance.
>
> It's Monday the 13th of August. I'd like to have something to present
> tomorrow.
>
> Thank you!
 
You can make him a member of the local Power Users group. He can install
software but cannot make changes to operating system or access any other
local profile.


"drkc" <drkc@discussions.microsoft.com> wrote in message
news:D531E279-C5A5-42FD-B944-EDF05FDC7362@microsoft.com...
> I've got a user that happens to be a general manager for a client and he
> is
> demanding the ability to install software on his system while logged in
> with
> his username.
>
> I don't want to give him that ability but wanted to ask here if there is
> *any way* to give him that level of access 'safely'. I don't think there
> is
> so I bow to any experts here that can show me the light.
>
> I've been told our support contract hangs in the balance so I really want
> to
> be right if we have to go over his head.
>
> What started this was him getting a Treo and not being able to install the
> software 'right now without all this administrator B.S.'
>
> Thanks for any assistance.
>
> It's Monday the 13th of August. I'd like to have something to present
> tomorrow.
>
> Thank you!
 
OK, Background: SBS2003 Active Directory Domain. Windows XP Pro on the desktop.

I've had people setup as 'Power User' and they haven't been able to install
software.

My issue is this guy is a goober. If he has the ability to install
*anything* on his local system then should I be worried? I'm concerned that
he could install something malicious on his system and hose the server or
cause the spread of spam, spyware or other garbage. The server has antivirus.

I realize that this could be me just being paranoid, but I don't like users
installing their own software on their local systems. I guess what I'm asking
is: Is that a reasonable idea or am I being too restrictive? I made this guy
a local admin on his box. He still can't install software.



"SBS Rocker" wrote:

> You can make him a member of the local Power Users group. He can install
> software but cannot make changes to operating system or access any other
> local profile.
>
>
> "drkc" <drkc@discussions.microsoft.com> wrote in message
> news:D531E279-C5A5-42FD-B944-EDF05FDC7362@microsoft.com...
> > I've got a user that happens to be a general manager for a client and he
> > is
> > demanding the ability to install software on his system while logged in
> > with
> > his username.
> >
> > I don't want to give him that ability but wanted to ask here if there is
> > *any way* to give him that level of access 'safely'. I don't think there
> > is
> > so I bow to any experts here that can show me the light.
> >
> > I've been told our support contract hangs in the balance so I really want
> > to
> > be right if we have to go over his head.
> >
> > What started this was him getting a Treo and not being able to install the
> > software 'right now without all this administrator B.S.'
> >
> > Thanks for any assistance.
> >
> > It's Monday the 13th of August. I'd like to have something to present
> > tomorrow.
> >
> > Thank you!
>
>
>
 
Having users as local administrators just pushed up the cost of support,
reduces the reliability of the network (because they could introduce a
virus) and increases the security protection required (e.g NAC). If the
business is fine with that, its their choice. There are some cases where its
fine, and others where they don't even want the users to access the
internet. Its a business question, not a technical one.
One thing you can consider if someone is adamant they need full rights, is
to create a VLAN with NAC and limited access to the network. If anyone
connects to it they get virus scanned, patched etc. They just need to pay
the full cost of the extra work,
Anthony -
http://www.airdesk.co.uk





"drkc" <drkc@discussions.microsoft.com> wrote in message
news:66355E1D-A23A-459C-A45D-CA0FDA5F3EA3@microsoft.com...
> OK, Background: SBS2003 Active Directory Domain. Windows XP Pro on the
> desktop.
>
> I've had people setup as 'Power User' and they haven't been able to
> install
> software.
>
> My issue is this guy is a goober. If he has the ability to install
> *anything* on his local system then should I be worried? I'm concerned
> that
> he could install something malicious on his system and hose the server or
> cause the spread of spam, spyware or other garbage. The server has
> antivirus.
>
> I realize that this could be me just being paranoid, but I don't like
> users
> installing their own software on their local systems. I guess what I'm
> asking
> is: Is that a reasonable idea or am I being too restrictive? I made this
> guy
> a local admin on his box. He still can't install software.
>
>
>
> "SBS Rocker" wrote:
>
>> You can make him a member of the local Power Users group. He can install
>> software but cannot make changes to operating system or access any other
>> local profile.
>>
>>
>> "drkc" <drkc@discussions.microsoft.com> wrote in message
>> news:D531E279-C5A5-42FD-B944-EDF05FDC7362@microsoft.com...
>> > I've got a user that happens to be a general manager for a client and
>> > he
>> > is
>> > demanding the ability to install software on his system while logged in
>> > with
>> > his username.
>> >
>> > I don't want to give him that ability but wanted to ask here if there
>> > is
>> > *any way* to give him that level of access 'safely'. I don't think
>> > there
>> > is
>> > so I bow to any experts here that can show me the light.
>> >
>> > I've been told our support contract hangs in the balance so I really
>> > want
>> > to
>> > be right if we have to go over his head.
>> >
>> > What started this was him getting a Treo and not being able to install
>> > the
>> > software 'right now without all this administrator B.S.'
>> >
>> > Thanks for any assistance.
>> >
>> > It's Monday the 13th of August. I'd like to have something to present
>> > tomorrow.
>> >
>> > Thank you!
>>
>>
>>
 
Well if you made the guy a local admin on his own machine and he still
cannot install software then yes he must be a goober. You have two choices.
Let him do it or you do it.

"drkc" <drkc@discussions.microsoft.com> wrote in message
news:66355E1D-A23A-459C-A45D-CA0FDA5F3EA3@microsoft.com...
> OK, Background: SBS2003 Active Directory Domain. Windows XP Pro on the
> desktop.
>
> I've had people setup as 'Power User' and they haven't been able to
> install
> software.
>
> My issue is this guy is a goober. If he has the ability to install
> *anything* on his local system then should I be worried? I'm concerned
> that
> he could install something malicious on his system and hose the server or
> cause the spread of spam, spyware or other garbage. The server has
> antivirus.
>
> I realize that this could be me just being paranoid, but I don't like
> users
> installing their own software on their local systems. I guess what I'm
> asking
> is: Is that a reasonable idea or am I being too restrictive? I made this
> guy
> a local admin on his box. He still can't install software.
>
>
>
> "SBS Rocker" wrote:
>
>> You can make him a member of the local Power Users group. He can install
>> software but cannot make changes to operating system or access any other
>> local profile.
>>
>>
>> "drkc" <drkc@discussions.microsoft.com> wrote in message
>> news:D531E279-C5A5-42FD-B944-EDF05FDC7362@microsoft.com...
>> > I've got a user that happens to be a general manager for a client and
>> > he
>> > is
>> > demanding the ability to install software on his system while logged in
>> > with
>> > his username.
>> >
>> > I don't want to give him that ability but wanted to ask here if there
>> > is
>> > *any way* to give him that level of access 'safely'. I don't think
>> > there
>> > is
>> > so I bow to any experts here that can show me the light.
>> >
>> > I've been told our support contract hangs in the balance so I really
>> > want
>> > to
>> > be right if we have to go over his head.
>> >
>> > What started this was him getting a Treo and not being able to install
>> > the
>> > software 'right now without all this administrator B.S.'
>> >
>> > Thanks for any assistance.
>> >
>> > It's Monday the 13th of August. I'd like to have something to present
>> > tomorrow.
>> >
>> > Thank you!
>>
>>
>>
 
You do not have to have the ability to install or be an admin to spread a
virus.

"Anthony" <anthony.spam@spammedout.com> wrote in message
news:uvcztNk3HHA.1188@TK2MSFTNGP04.phx.gbl...
> Having users as local administrators just pushed up the cost of support,
> reduces the reliability of the network (because they could introduce a
> virus) and increases the security protection required (e.g NAC). If the
> business is fine with that, its their choice. There are some cases where
> its fine, and others where they don't even want the users to access the
> internet. Its a business question, not a technical one.
> One thing you can consider if someone is adamant they need full rights, is
> to create a VLAN with NAC and limited access to the network. If anyone
> connects to it they get virus scanned, patched etc. They just need to pay
> the full cost of the extra work,
> Anthony -
> http://www.airdesk.co.uk
>
>
>
>
>
> "drkc" <drkc@discussions.microsoft.com> wrote in message
> news:66355E1D-A23A-459C-A45D-CA0FDA5F3EA3@microsoft.com...
>> OK, Background: SBS2003 Active Directory Domain. Windows XP Pro on the
>> desktop.
>>
>> I've had people setup as 'Power User' and they haven't been able to
>> install
>> software.
>>
>> My issue is this guy is a goober. If he has the ability to install
>> *anything* on his local system then should I be worried? I'm concerned
>> that
>> he could install something malicious on his system and hose the server or
>> cause the spread of spam, spyware or other garbage. The server has
>> antivirus.
>>
>> I realize that this could be me just being paranoid, but I don't like
>> users
>> installing their own software on their local systems. I guess what I'm
>> asking
>> is: Is that a reasonable idea or am I being too restrictive? I made this
>> guy
>> a local admin on his box. He still can't install software.
>>
>>
>>
>> "SBS Rocker" wrote:
>>
>>> You can make him a member of the local Power Users group. He can install
>>> software but cannot make changes to operating system or access any other
>>> local profile.
>>>
>>>
>>> "drkc" <drkc@discussions.microsoft.com> wrote in message
>>> news:D531E279-C5A5-42FD-B944-EDF05FDC7362@microsoft.com...
>>> > I've got a user that happens to be a general manager for a client and
>>> > he
>>> > is
>>> > demanding the ability to install software on his system while logged
>>> > in
>>> > with
>>> > his username.
>>> >
>>> > I don't want to give him that ability but wanted to ask here if there
>>> > is
>>> > *any way* to give him that level of access 'safely'. I don't think
>>> > there
>>> > is
>>> > so I bow to any experts here that can show me the light.
>>> >
>>> > I've been told our support contract hangs in the balance so I really
>>> > want
>>> > to
>>> > be right if we have to go over his head.
>>> >
>>> > What started this was him getting a Treo and not being able to install
>>> > the
>>> > software 'right now without all this administrator B.S.'
>>> >
>>> > Thanks for any assistance.
>>> >
>>> > It's Monday the 13th of August. I'd like to have something to present
>>> > tomorrow.
>>> >
>>> > Thank you!
>>>
>>>
>>>
>
>
 
Back
Top