Group Policy and User restrictions

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Hi,

We are running Windows XP Pro and 2000 Pro on our computers. I'm in the
process of learning Group Policies and how to create, manage, deploy and
troubleshoot them (AD is still on 2000 Server based)

My 2x questions are:

How come when I remove the local Administrator rights to a user and leave
him on a basic user level access we run into all kinds of software issues
that we do not have if the user is part of the admin group. Such as Outlook
printing issues that can't create documents in Temp folders and so many other
sotwares having all kind of hickup behaviors?

My second question is it possible to leave my users in the local admin
groups but with group policy deny them the rights to install or remove any
applications? If so how?

Any help will be greatly appreciated since I'm kind of in a nightmare in
troubleshooting and administering all of what goes on the users computers

Thank you
Gabriel
 
Falcon1 said:
How come when I remove the local Administrator rights to a user and leave
him on a basic user level access we run into all kinds of software issues

There are two distinct issues here. Some software is badly written and will not
run for non-administrative users. Such software is in the minority and does not
typically include the major Microsoft products such as Outlook.

The problem you're more likely running into here is that if the user account has
already been used as an administrator it may have files and folders with
incorrect permissions. Do these problems occur with a new account which was
never used as an administrator?
My second question is it possible to leave my users in the local admin
groups but with group policy deny them the rights to install or remove any
applications? If so how?

Basically no. You can't reliably prevent an administrator from doing anything
they want. Even where there is group policy to block something, it is (almost)
always possible for an administrator to block or override the group policy. I'm
not aware of any group policy that can prevent the installation or removal of
software in any case.

Harry.
 
Hi Harry,

I will double-check with a new profile if the same thing happens. For sure
MS Outlook 2003 needs write permissions on the user and system Temp
variables, otherwise it prints only the Header and no body. It took me a long
time to figure this out. Which is why I posted the question because to me it
makes no sense.

I'll come back wth a answer today.
 
Falcon1 said:
I will double-check with a new profile if the same thing happens. For sure
MS Outlook 2003 needs write permissions on the user and system Temp
variables,

Could you clarify what you mean by this?

Harry.
 
With pleasure,

We found out that Outlook 2003 when printing e-mails needs to have write
access for the Env. variable for the TMP user variable (Default path) and
Write access for the C:\WINNT\Temp folder.

Otherwise we run into printing e-mails that have absolutely no body but only
the header info (subjet, from, to ect...)

And this is happening even with a new profile like you suggested. I still
have to do a bit of more testing of the rest of the other issues we've been
having.
 
Falcon1 said:
We found out that Outlook 2003 when printing e-mails needs to have write
access for the Env. variable for the TMP user variable (Default path)

You always have write access to environment variables; I assume you mean that
you need to have write access to the folder specified by the TMP environment
variable?

This shouldn't normally be a problem because TMP usually points to the per-user
temporary folder which the user has write access to. Do you have TMP explicitly
set to some non-standard location?
and Write access for the C:\WINNT\Temp folder.

That shouldn't be necessary. I'm sure if this were normally the case it would
have been reported and fixed by now, because it would affect anyone using
Outlook with limited accounts.

One question: WINNT? What OS are you using?

Harry.
 
Back
Top