On Thursday 19 October 2006 14:55, Tyran Ormond wrote: > On 02:18 PM 10/19/2006 +0100, it would appear that James Weatherall wrote: > >Tyran, > > > > > Regardless, if the current user can > > > read the key, the current user has full access to the clear text > > > password via SIW and likely other similar utilities. > > > >The current user can only read the relevant keys if they are a member of > > the Administrators group, in which case they have complete access to your > > system anyway. > > True but you're missing the point I was making: Group A are Domain > Admins and have access to all the machines across the network via > their own user account and via VNC. Group B are part of the > Administrators Group on their own machines only (due to idiot > software that can only be run under an administrative account) and > are restricted access to only their machines and have no VNC access > to any machines.
Just curious: couldn't you set Group B read/write access rights for the specific folders/files that the "idiot software" requires? I had to do that for an application which tried to write into some dictionary file in C: \Programs and Files. So, I allowed the particular plain user to read/write the specific application file(s) without elevating their account privileges across the board. Alternatively, use a combination of a Power User account, but with locked down access rights to all executables and necessary directories rendering virtually incapable of running much more than the "idiot software". The link below gives some ideas (albeit in reverse) that may be worth looking into: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dncode/html/ secure01182005.asp -- Regards, Mick [demime 1.01d removed an attachment of type application/pgp-signature] _______________________________________________ VNC-List mailing list VNC-List@realvnc.com To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list