alowing regular users (not power users) to change network settings and power options

  • Thread starter Thread starter Stephen M
  • Start date Start date
S

Stephen M

We have a network of Windows 2K and XP pro workstations which are members of
a Win2003 domain.

When we migrated first set up this domain, we made everyone regular users.
Specifically because we did not want people installing programs. Cleaning up
spyware infections was getting to be a full-time job.

It solved the spyware problem, but locked people out of some functions that
they had a legitimate need to get into. Specifically, laptop users need to
occaisionally mess with their network settings and power options would be
nice as well.

Ideally, I would like this to allow this via the domain controller rather
than by administering individual machines.

Could someone point me in the right direction for accomplishing this?

Thanks,

Steve
 
With the XP systems, you can add the users to the Network Configuration
Operators local group.

For 2k I don't know. I'd look at all the rights that the aforementioned
group has and try configuring the same for a domain local group in the
lab...
 
Stephen M said:
We have a network of Windows 2K and XP pro workstations which are members
of a Win2003 domain.

When we migrated first set up this domain, we made everyone regular users.
Specifically because we did not want people installing programs. Cleaning
up spyware infections was getting to be a full-time job.
Click to expand...

This will not in general prevent installation of programs so it may
not even do what you wanted.

You pretty much have to use a tedious combination of Software
Restriction Groups AND careful NTFS permissions to prevent
installation of programs.
It solved the spyware problem, but locked people out of some functions
that they had a legitimate need to get into. Specifically, laptop users
need to occaisionally mess with their network settings and power options
would be nice as well.
Click to expand...

Paul's idea (this thread) seemed helpful for the network portion.
Ideally, I would like this to allow this via the domain controller rather
than by administering individual machines.

Could someone point me in the right direction for accomplishing this?
Click to expand...

You can grant rights to do certain task, or even permissions on Files
(but almost no one does that since it is so difficult to get correct) from
a GPO on the DCs. You can also put people into well-known local
groups (like Power Users) from a GPO by using Restricted Groups
(run the GPEdit from a workstation or non-DC server to see those
local groups however.)
 
Back
Top