power users a risk
Posted on 2014-03-17
i am trying to quantiy the risk with the power users group on an old 2003 server. I notice the domain users group is a member of power users (so basically every user in the network has power user access on this server), however,, looking at this power users policy, they cannot remote onto the server via remote desktop,
my question is... is there any other way a power user could access resources on the server "remotely", or add themselves to admin level groups/policies "remotel"? I cant quite grasp the risk. The server is located in a secure data centre so they cant physically logon at console either, nor do they have access to the admin shares via map network drive etc. It sounds like a big problem, but I am not sure it is.
Obviously the ultimate solution would be to remove power user permissions on the server from the domain users group... but I would like to first understand the risks...