Can't execute from USB sticks due to my AppSense rules :-) 2009/4/23 Kurt Buff <kurt.b...@gmail.com>
> fileacl.exe on a usb stick? Heh. > > On Thu, Apr 23, 2009 at 00:34, James Rankin <kz2...@googlemail.com> wrote: > > Yes, but if they get around the restrictions that I have implemented, > then > > they can have a job :-) They can't change the false proxy because they > are > > locked out of the inetcpl.cpl, the regedit tool and the reg.exe tool via > > NTFS permissions. And they can't change the NTFS permissions on the files > > because they are locked out of rshx32.dll and cacls.exe via NTFS > > permissions. There is probably a way around it, but even if they do get > > around it, WebSense will alert me straight away to the traffic flowing > from > > these hosts, in which case I can go and offer them a post in first-line > > support. > > > > 2009/4/23 Ken Schaefer <k...@adopenstatic.com> > >> > >> If they are administrators, they can defeat GPOs given sufficient > >> knowledge... > >> > >> Cheers > >> Ken > >> > >> ________________________________ > >> From: James Rankin [kz2...@googlemail.com] > >> Sent: Thursday, 23 April 2009 5:12 PM > >> To: NT System Admin Issues > >> Subject: Re: Restricted groups, where have you been.... > >> > >> For those who can remember the NT4 days, GPOs as a whole are an awesome > >> admin tool. When I managed an NT4 network with 10,000 users I actually > had > >> batch scripts running overnight that reset the user rights on all DCs > and > >> members servers, checked the local group memberships and altered them > back > >> to a default if they'd changed. Group Policy finally made my life easy. > >> > >> I just recently implemented a group policy that blocks internet access > on > >> our few scanning workstations even though the users are admins...a > >> combination of a false proxy and restrictive file permissions on > >> inetcpl.cpl, regedit, reg.exe, rshx32.dll and cacls.exe has done the > trick. > >> Power is great!!!! > >> > >> 2009/4/22 David Lum <david....@nwea.org> > >>> > >>> …all my life! We are just getting to use this feature and it’s DA BOMB! > >>> Being able to add users to local groups w/out affecting the existing > >>> memberships is awesome! > >>> > >>> > >>> > >>> We are narrowing down how many Domain Admins we have and this feature > is > >>> *hugely* helpful in delegating to non domain admins. > >>> > >>> David Lum // SYSTEMS ENGINEER > >>> NORTHWEST EVALUATION ASSOCIATION > >>> (Desk) 971.222.1025 // (Cell) 503.267.9764 > >>> > >>> > >>> > >>> > >>> > >>> > >> > >> > >> > >> > >> > >> > >> > >> > > > > > > > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~