Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 137
  • Last Modified:

Group Policy and new users question

I have a Small Business Server installation at an office where we have more users than computers. We use roaming profiles to let all the users on the network and gain access to their data. We also have a fair amount of turnover so users are being added and deleted all of the time. When I add a new user and they use any of the Office programs for the first time on a computer it launches the Windows Installer to let them finish the initial setup for that program for each user. If this user has not be given explicit local administrator privledge, they can't finish the install and just get an error code. If the users is given local admin privledges, then the installation finishes with no problem and its never an issue again. Right now I have to go to each computer that the new user works on and give them local admin privledges; which is ineffecient and time-consuming (and not as secure as I'd like). What I would like to do is create a Group Policy that allows users to either (in order of preference):

a) Be able to finish the install of these programs without having to be local admins

or

b) Allow users to be local admins of these computers when their accounts are created

I'd like to create this policy on the DC so I can have as centralized as possible administration for the network.

Thanks!
0
ssittig
Asked:
ssittig
  • 7
  • 4
  • 3
  • +1
1 Solution
 
m0nst3rCommented:
You have a couple of options. in a w2k domain environment you can use the group policy to "elivate rights for installs" or you can use "mmc" to connect to each pc and assign "Everyone" to the local administrators group which will accomplish what you need.
0
 
ssittigAuthor Commented:
Elevating rights for installs seems like it would be perfect for what I am doing. Is there any reason why I would need to have "everyone" be a local admin for the machines? I would just love to not give users that privledge so I could have some control over what is happening on the network.

Thanks for your help.
0
 
m0nst3rCommented:
there is no need to give everyone local admin rights if you are going to use the GP to evevate rights. Although giving local admin rights does not give the user admin rights on the network, that is decided by the groups you have them assigned to. Remember though, there are 2 types of access, local pc and domain, so putting everyone in the local admin group does help out with installs, printers, and some programs that need admin rights, without giving the basic user too much.
0
Receive 1:1 tech help

Solve your biggest tech problems alongside global tech experts with 1:1 help.

 
MSGeekCommented:
One other solution that has worked for me was to launch the prograsm as the administrator, once done running the install wizard, copy the administrators profile over the default user profile.
0
 
trywaredkCommented:
:o) ssittiq..., and everybody else.

PLEASE READ THIS CAREFULLY:

You must NEVER NEVER NEVER grant Everyone membership of the LocalAdminGroup on each workstation.

And You must NEVER NEVER grant a DomainUserGroup membership of the LocalAdminGroup on each workstation.

And You must NEVER grant the same DomainUser membership of the LocalAdminGroup on more than his/hers own workstation

If You grant Everyone membership of the LocalAdminGroup, Everyone gets unlimited REMOTE access power of every workstation on Your network.

The unlimited REMOTE access involves:
1. Explorer: \\ComputerName\C$
2. Registry
3. ComputerManagement (Control Panel)

If You want to know about this issue, look at my question on http://www.experts-exchange.com/Security/Win_Security/Q_20506528.html or look at my describtion about this problem on http://www.tryware.dk/English/W2kLocalGroupPolicy/TotalAdminPower.html
0
 
trywaredkCommented:
:o) ssittiq..., and everybody else.

PLEASE READ THIS CAREFULLY:

You must NEVER NEVER NEVER grant Everyone membership of the LocalAdminGroup on each workstation.

And You must NEVER NEVER grant a DomainUserGroup membership of the LocalAdminGroup on each workstation.

And You must NEVER grant the same DomainUser membership of the LocalAdminGroup on more than his/hers own workstation

If You grant Everyone membership of the LocalAdminGroup, Everyone gets unlimited REMOTE access power of every workstation on Your network.

The unlimited REMOTE access involves:
1. Explorer: \\ComputerName\C$
2. Registry
3. ComputerManagement (Control Panel)

If You want to know about this issue, look at my question on http://www.experts-exchange.com/Security/Win_Security/Q_20506528.html or look at my describtion about this problem on http://www.tryware.dk/English/W2kLocalGroupPolicy/TotalAdminPower.html
0
 
trywaredkCommented:
:o) Sorry - I accidentially hit the refresh button
0
 
trywaredkCommented:
MSGeek.. Never use Explorer to copy profiles, always use UserProfiles when RightClicking MyComputer\Properties.
0
 
MSGeekCommented:
trywaredk.. You must NEVER NEVER NEVER hit the refresh button on EE!  :)
0
 
MSGeekCommented:
I nvere advised the use of explorer to copy profiles, where did you get that idea???
0
 
trywaredkCommented:
:o) MSGeek.. It could be misunderstood, that You advised to COPY the administrators profile over the default user profile.
 

0
 
m0nst3rCommented:
Well I tested your theory that "Local\Everyone" in the "Local Administrators" group has remote access to the \\xxx\C$ share. And it is not true in a domain environment. Those shares are for remote NETWORK admin access, and therefore not accessable to the "Domain Users" group. For it to be true a user has to be signed on to a local computer with Admin rights (not the domain) AND have a "local" user account on the remote PC.
In a domain environment users have to be given specific rights to network resources.
As far as the registry and computer management they do have access to it ONLY on the local machine, and that can be controlled through the use of policies.
Also i distinctly remember saying that the installs can be controlled using the GP by elevating rights for installs only which would also solve this problem.
0
 
m0nst3rCommented:
Well I tested your theory that "Local\Everyone" in the "Local Administrators" group has remote access to the \\xxx\C$ share. And it is not true in a domain environment. Those shares are for remote NETWORK admin access, and therefore not accessable to the "Domain Users" group. For it to be true a user has to be signed on to a local computer with Admin rights (not the domain) AND have a "local" user account on the remote PC.
In a domain environment users have to be given specific rights to network resources.
As far as the registry and computer management they do have access to it ONLY on the local machine, and that can be controlled through the use of policies.
Also i distinctly remember saying that the installs can be controlled using the GP by elevating rights for installs only which would also solve this problem.
0
 
trywaredkCommented:
M0nst3r..

Credentials in W2k is given in the second where You press ENTER to password when logging on.

Try again after logout and logon, and You will see, that You're wrong, and I am right about the local admin group.

By the way - when testing it - You have to grant Everyone to the local admin group on BOTH test-workstations, and logout and logon again.

Please reply, when You have removed Everyone again!
0
 
ssittigAuthor Commented:
m0nst3r,

Thanks, where can I find the elevate users rights for installs?

Thanks
-S
0
 
trywaredkCommented:
:o) Dear friends - Please realize, that being member of the local admin group means what it says - You can do anything You like with Your workstation:

1.  Create a local account on the workstation, and add this local account to local admin group
2.  Logon locally as the new local account
3.  RightClick MyComputer
4.  Choose Manage
5.  Choose Local Users and Groups
6.  Choose Groups
7.  Choose Administrators
8.  Choose Add...
9.  Choose Your Domain in Look in:
10. Logon as an ordinary DomainUser (NOT member of Local or Global Admin Group): Input Domain Name\Domain User Name and Domains Users password
11. Add Your own ordinary Domain User Name
12. Apply and log off.
13. Logon to Your Domain as an ordinary Domain User

Surprise for some of You - Your Domain User is still member of local admin group.

:o) And we can't do anything about it - or can we???

The problem is that more and more programs UPDATES themselfes while users are logged on, requirering them being members of the local admin group.

Being that - they can do an unlimited remote access to every other workstation on the network, if the also are member of the local admin group on the remote workstation.

Some are, because some it-sysadms places Domain Groups in local admin group.

And You can't do anything about it with policy, if You (being member of the Global admin group) want to be able to do remote administration of Your all Your workstations.

0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 7
  • 4
  • 3
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now