Group Policy and user level access

[Guest]

Hi,

We are running Windows XP Pro and 2000 Pro on our computers. I'm in the
process of learning Group Policies and how to create, manage, deploy and
troubleshoot them (AD is still on 2000 Server based)

My 2x questions are:

How come when I remove the local Administrator rights to a user and leave
him on a basic user level access we run into all kinds of software issues
that we do not have if the user is part of the admin group. Such as Outlook
printing issues that can't create documents in Temp folders and so many other
sotwares having all kind of hickup behaviors?

My second question is it possible to leave my users in the local admin
groups but with group policy deny them the rights to install or remove any
applications? If so how?

Any help will be greatly appreciated since I'm kind of in a nightmare in
troubleshooting and administering all of what goes on the users computers

Thank you
Gabriel

 

[Roger Abell [MVP]]

Application compatibility issues are many, but much can be
resolved by granting to the Users group either in the filesystem
or the registry where the incompatible application is attempting
to make changes (yes, Office 2000 was incompatible with XP
guidelines for well-behaved applications).

Attempting to restict an admin account from the exercise of
admin capabilities is an exercise in futility. They will, given
determination and a little skill or time googling, walk around
any restriction you might think you have put in place.

You should post to the windowsxp.security_admin newsgroup
for some guidance on shifting your users to being limited Users.

Roger

 

[Dana]

Hi,

We are running Windows XP Pro and 2000 Pro on our computers. I'm in the
process of learning Group Policies and how to create, manage, deploy and
troubleshoot them (AD is still on 2000 Server based)

My 2x questions are:

How come when I remove the local Administrator rights to a user and leave
him on a basic user level access we run into all kinds of software issues
that we do not have if the user is part of the admin group. Such as
Outlook
printing issues that can't create documents in Temp folders and so many
other
sotwares having all kind of hickup behaviors?

Why do you want to interfere in the productivity of others.

My second question is it possible to leave my users in the local admin
groups but with group policy deny them the rights to install or remove any
applications? If so how?

Why do you want to limit what a person can or cannot do.

 

[Guest]

Hi Dana,

Well in most companies nowadays you need to control what a user can do on
their computers for a lot of reasons. If you go in places such has
Desjardins, Canadian Aviation Electronics (CAE), Merck Frost ect... Security
is taking extremely seriously much more than what we need to implant in my
case, these are a couple of examples which have happened in our companie that
seriously cost money and time to repair and have delayed critial projects:

- You need to control what gets installed on their computer. If a user
installs a lot of non-approved softwares (Screensavers, toolbars, illegal
softwares ect...) that will slow down their computers, might even crash it.

- We get audited by Microsoft every once in a while, I have users that
unfortunately do not understand that part and they install illegal softwares
such as some of Microsoft of their computers.

- Spyware is a major problem today so by removing admin rights it will be
harder for such softwares to install automatically. And spyware can gahter
very confidential data.

- Plus removing admin rights shouldn't affect the users productivity, in
fact it should boost it, they have less time to fool in what they are not
hired to do and users normally do not have a whole picture in all the
inter-softwares bugs which we do have (Not a lot but enough to make a user
have critical downtimes)

I hope this answer your questions?

 

[Guest]

Hi Roger,

Thank you for the help I will go post on that part of the Discussion Groups
right away!

 

[Roger Abell [MVP]]

Why do you want to interfere in the productivity of others.

I do not know for the original poster, but see below . . .

Why do you want to limit what a person can or cannot do.

Most studies have shown the a main factor in the cost of supporting
desktop systems is whether the users of those systems are or are not
running as admins, with it obviously being much higher if they are.
Interfering with their productivity is usually not required, if one does
first test and prepare for the reduction of their priv level.

 

[Dana]

Hi Dana,

Well in most companies nowadays you need to control what a user can do on
their computers for a lot of reasons.

I have seen IT departments abuse this, and actually reduce productivity of
the employees.
While I agree it must be done, a lot of IT guys have very little knowledge
outside of the IT world, that they actually cause more problems by making
very restrictive policies

If you go in places such has

Desjardins, Canadian Aviation Electronics (CAE), Merck Frost ect...
Security
is taking extremely seriously much more than what we need to implant in my
case, these are a couple of examples which have happened in our companie
that
seriously cost money and time to repair and have delayed critial projects:

I can agree, and yes protecting the network is important, but again a lot of
IT only guys lack the exposure to other technologies and systems that they
end up causing more problems. Especially the windows IT admins, very few
have any experience in technology outside of windows.

- You need to control what gets installed on their computer. If a user
installs a lot of non-approved softwares (Screensavers, toolbars, illegal
softwares ect...) that will slow down their computers, might even crash
it.

A policy in your company handbook solves this problem. Having IT scan the
computers for unapproved software results in action against that employee,
up to being let go.
This way users are allowed to add the tools they need, but are held to the
fact that they cannot just install anything.

- We get audited by Microsoft every once in a while, I have users that
unfortunately do not understand that part and they install illegal
softwares
such as some of Microsoft of their computers.

On this I agree especially for licensed products.
Here notifying employess that this can be an action that would result in
termination of employment would probably help your problems while allowing
users the productivity they need.

- Plus removing admin rights shouldn't affect the users productivity,

Lots of programs need admin rights.

 

[Dana]

I do not know for the original poster, but see below . . .




Most studies have shown the a main factor in the cost of supporting
desktop systems is whether the users of those systems are or are not
running as admins, with it obviously being much higher if they are.
Interfering with their productivity is usually not required, if one does
first test and prepare for the reduction of their priv level.

True.
Using a different OS like UNIX will get away from teh windows admin issue
anyway.

 

[Roger Abell [MVP]]

True.
Using a different OS like UNIX will get away from teh windows admin issue
anyway.

Yes, it would, tossing right into the root issue though, and
trashing the productivity until they learned to do things with
the limited set of software alternatives available.
Ditto Mac X. Domination has its rewards I guess, a larger
target market so more targetting. I don't use/run Windows
because I like it, but because I like / need to support those
that require, capabilities.

 

[Dana]

Yes, it would, tossing right into the root issue though, and
trashing the productivity until they learned to do things with
the limited set of software alternatives available.

Using Unix for network monitoring and engineering has way more functionality
than Windows.
So in an engineering environment, Unix is the preferred system.
Especially when using very large databases of collected info, which is why
we use Oracle on unix boxes, rather than using windows.

Ditto Mac X. Domination has its rewards I guess, a larger
target market so more targetting. I don't use/run Windows
because I like it, but because I like / need to support those
that require, capabilities.

From an engineering and reliablity standpoint, and environment windows
cannot compete with the reliabilty and capabilities of a Unix box.
When you have to have over 100,000 subscribers on your system using Windows
just does not work as your main OS.
In business and home environments, windows is great, though Linux is
starting to give windows a run for its money as linus becomes more user
friendly, and attracts more apps.
I myself have never been a big apple fan, except for their graphic
capability.

 

[Roger Abell [MVP]]

Using Unix for network monitoring and engineering has way more
functionality than Windows.
So in an engineering environment, Unix is the preferred system.
Especially when using very large databases of collected info, which is why
we use Oracle on unix boxes, rather than using windows.


From an engineering and reliablity standpoint, and environment windows
cannot compete with the reliabilty and capabilities of a Unix box.
When you have to have over 100,000 subscribers on your system using
Windows just does not work as your main OS.
In business and home environments, windows is great, though Linux is
starting to give windows a run for its money as linus becomes more user
friendly, and attracts more apps.
I myself have never been a big apple fan, except for their graphic
capability.

My experiences in one of the largest universities in north america,
having run *nix and now overseeing windows for the engineering
college recognizes some of the beliefs you have expressed but does
not recognize them as reality. Perhaps back at NT 4, but not today
if run by knowing and skilled people.

 

[Dana]

My experiences in one of the largest universities in north america,
having run *nix and now overseeing windows for the engineering
college recognizes some of the beliefs you have expressed but does
not recognize them as reality. Perhaps back at NT 4, but not today
if run by knowing and skilled people.

I will say I microsoft has increased in reliability since NT and even early
win 2k. But from an engineering standpoint, there are still more apps
running on unix than windows for telco and wireless engineering and
monitoring.
Heck there are more network tools that you can run from unix than windows,
but windows on this end is trying to make changes here.
The 100,000 and above subs I mentioned above were not computer users, but
paying customers using our services, hence we have to abide by the 5 nines
for reliabilty, and windows is just not there yet. Not that it is a bad os,
only that it still will crash more often than a unix box (notice I did not
include linux here, as depending on your linus distro, it may be even worse
than windows for reliability.

You are correct, in a business/educational setting, windows works great.
But when you have critical applications, Unix is the prefered OS.