Next time I see joe I will tell him you said CPAU is a "bit fiddly to get working". I'm betting that will evoke a giant chuckle. It is a great tool as are are all of his offerings.
________________________________ From: James Rankin [mailto:kz2...@googlemail.com] Sent: Friday, December 12, 2008 1:48 AM To: NT System Admin Issues Subject: Re: deny restart local policy? Quite right...back in the NT4 days we got around this by writing admin wrappers that let non-admins elevate themselves for certain tasks. I still have a few old Citrix-based apps where users need to launch them with admin rights and I get around this now by using CPAU, which is a bit fiddly to get working but does the job and costs nothing ( http://www.joeware.net/freetools/tools/cpau/ ) 2008/12/11 Free, Bob <r...@pge.com> That covers one element of it from a technical standpoint but my primary point (which I could have stated much clearer) was that if they are administrators on the box they can do anything they want. Regardless of what you or I put in a GPO it is relatively trivial to get around it for a determined person that already has administrative rights. From: James Rankin [mailto:kz2...@googlemail.com] Sent: Thursday, December 11, 2008 2:25 AM To: NT System Admin Issues Subject: Re: deny restart local policy? just apply a group policy that enforces the SeShutdownPrivilege not to be applied to local administrators, but to a domain group instead. We used to have to do this when we were responsible for controlling a domain with administrators who thought they had the God-given right to take things offline that were governed by our SLAs. However, you might want to set up and add to this GPO a local user account that can shut down the system as well, just in case you lose domain connectivity and find yourself with a system you can't restart - although there is always the power cord, or RIB/DRAC/ILO reset function.... 2008/12/10 Free, Bob <r...@pge.com> SeShutdownPrivilege (Shut down the system) allows a user to restart, sleep, or shutdown the computer. Be aware that administrators are also granted SeRemoteShutdownPrivilege (Force shutdown from a remote system) by default. That said, I'm not sure how you are going to accomplish this if the users have local admin rights. -----Original Message----- From: Rick Berry [mailto:rbe...@elevativenetworks.com] Sent: Wednesday, December 10, 2008 11:45 AM To: NT System Admin Issues Subject: deny restart local policy? does the Local Policy/User Rights Assignment/Shut Down The System part of policy encompass a restart as well as shutdown? need to deny folks on a particular TS box that require local admin rights the ability to reboot it. i don't recall if explicit denial of "shut down the system" also means "you can't reboot it either sucka" ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~