Do system policies affect administrators

  • Thread starter Thread starter Andy
  • Start date Start date
A

Andy

We have a network that uses a horrible piece of software provided by our
bank which will not work unless the users are all given administrator access
rights. I want to prevent users from accessing their local hard drives,
forcing them to save onto the server. Is it possible to do this with system
policies or do system policies have no affect on administrators?

Thanks
Andy
 
Group Policies in Windows 2000 can indeed apply to local administrators that are
domain users. The problem is if a user realizes they are a local administrator they
may decide to create a local administrator account to logon to avoid any domain
policy restrictions or use their power to otherwise try to evade restrictions. Local
Group Policy via gpedit.msc will apply to all users logging on locally unless a
domain policy overrides it and then will override local policy for domain users. Keep
in mind that many Group Policy settings only hide access and may not prevent access
in all cases - be sure to read full explanation of any policy setting.

Another solution may be to try to find out what registry and file permissions need to
be modified to allow regular users to run the application. There are two free tools
from SysInternals that can help you figure that out called filemon and regmon. Try to
first use filemon and logon to a computer as a regular user and then start filemon
using runas with administrator credentials just before you try to start your
application. As soon as it hangs/balks check the log for filemon to see entry for
"access denied". Then change the permissions to modify for that file/folder where
access was denied and document it. Run filemon again doing the same thing. In the
meantime you may have to run regmon to find a registry key where users need access if
fimemon does not find where access is denied. While the log files will show a lot of
entries, look for access denied entries and you just may be able to track down
permissions needed for a regular user to run the application. --- Steve

http://www.sysinternals.com/ntw2k/source/filemon.shtml
 
Steve

Thanks. You certainly went the extra mile with the second section. It was
very interesting. It will certainly require some thought.

Thanks again
Andy
 
Back
Top