Announcement

Collapse
No announcement yet.

User Rights Issues

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • User Rights Issues

    Hi all,

    I have a minor issue. I work at a school and the students all use a collective series of domain users (grade1, grade2, grade3, etc.) We do not want the students having the ability to do much of anything (uninstall and install apps, etc.), so they're not administrators or anything like that.

    However, I noticed something strange. The kids use a lot of online programs and they need Adobe Flash. That's installed on all PCs. But on one, I noticed it was gone. So I reinstalled it. Then I thought, "How the Hell did it just disappear?" So I logged on as a student and attempted to uninstall Flash. It worked! I attempted to install, and it didn't, as expected.

    Now, on all our PCs I have "domain users" as a member of the local "Power Users" group. Is that, perhaps, what's allowing them to uninstall Flash (and possibly other apps)? These same users do need the ability to add printers from a print server, etc. That's why I have "domain users" in there. Just to be sure they're not blocked from doing legit things.

    Your advice... What's my solution here? Thanks!

    Chris

  • #2
    Re: User Rights Issues

    Originally posted by WorldBuilder View Post
    So I logged on as a student and attempted to uninstall Flash. It worked!
    Well Power Users can modify or, install programs that do not modify operating system files!

    Adding domain users to the Power users group is not recommended, they can customize systemwide resources including date and time, configure critical operating system parameters and more. And when connected to the Internet they could make the system vulnerable to Trojan horse programs and other security risks. Additionally, Power user on Windows versions older than Vista have too much power (including making themselves local admin).



    Originally posted by WorldBuilder View Post
    These same users do need the ability to add printers from a print server, etc. That's why I have "domain users" in there. Just to be sure they're not blocked from doing legit things.

    Your advice... What's my solution here?
    By default Domain Users are allowed to connect to network printers from their workstation, and having the printer driver installed.

    check the registry on one of the XP workstations, what is the value of "AddPrinterDrivers" in "HKEY_LOCAL_MACHINE\SYSTEM\ CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers" (if this key exist). The entry should not exist on workstations, or if it does exist it must have value 0 to allow users to install the drivers.
    This entry is controlled by a Computer GPO (Computer configuration/Windows settings/security settings/local policies/security options -> "Devices: Prevent users from installing printer drivers").

    /Rems

    This posting is provided "AS IS" with no warranties, and confers no rights.

    __________________

    ** Remember to give credit where credit's due **
    and leave Reputation Points for meaningful posts

    Comment


    • #3
      Re: User Rights Issues

      Hi Rems,

      Good info, thanks. I did not know all that about Power Users. Seems they should not be in there, and if I have to visit every PC to remove them, I will. Is there a way to do it via GPO from AD so I don't have to visit 300 PCs?

      Thanks!

      Chris

      Comment


      • #4
        Re: User Rights Issues

        See if this helps. http://forums.petri.com/showthread.php?t=25515
        1 1 was a racehorse.
        2 2 was 1 2.
        1 1 1 1 race 1 day,
        2 2 1 1 2

        Comment


        • #5
          Re: User Rights Issues

          Perfect, thanks!

          Comment


          • #6
            Re: User Rights Issues

            Depending on your AD Server, Print Server, you can create a GPO to allow the users to install printers (and their drivers) without having administrator/power user rights.

            I just did this to all of the users at my company, I got tired of running around installing printers all of the time.

            Brent

            Comment

            Working...
            X