Sorry for the repost but I submitted this to 2 lists and did not get any responses.
If you have any suggestions please throw them out. Thanks in advance Greg Felzer -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Greg Felzer Sent: Tuesday, March 04, 2003 11:11 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] User rights on Domain computers and security issues We are in the process of rolling out an new desktop at MUSC using a W2K AD infrastructure and an XP SP1 managed desktop. We piloted out new desktop for about a month to gauge the user's requirements for the new system. We had made the users domain account a member of the local power users group and enable roaming profiles. During out pilot testing the user base requested the ability to install hardware devices (zip drives, biometric mouse ect) and be able to install any software they want to locally. The power user's right gave them the ability to install most hardware devices EXCEPT devices that required a service to be installed or needed to modify certain hives under HKLM. The power user's right also gave them the ability to install most software EXCEPT if installation required local administrator privileges (like MS Project 2000). Giving the user account local administrator privileges is not an option for the security concerns that are enumerated here: http://www.sans.org/rr/win/commonality.php Also giving the users local administrator access would allow them to browse other users local profile directories that had been cached. Although we could delete all profiles upon log off this would prevent the user from logging onto the computer in the event of a network failure (there are no local user accounts). We tried to give the local power user's group full control to HKLM. The trouble with this is that in essence it makes them local administrators on the machine which bring us back to our security concerns. Any ideas....all suggestion are welcome. Greg Felzer MCSE NT4, MCSE 2000, CCA, CCNA, CNA Senior Systems Engineer Center for Computing and Information Technology Medical University of South Carolina List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
