How to create"admin" acct w/o user add/delete

  • Thread starter Thread starter Bob
  • Start date Start date
B

Bob

I need to set some folks up as admins so that they can reliably
install and remove software. However, I don't want them to be able to
change passwords for other user accounts or add users, etc.

What specific priv's do I have to adjust to pull this off?

Thanks,
 
Ultimately you can not do that and just to make it clear users do not need
to be domain administrators to do what you want - but local administrators
on their domain computers if you are talking about an Active Directory
domain.

If the software applications are .msi packages you can use Group Policy
Software Installation to assign or publish .msi packages so that regular
users can have them installed without administrator intervention.

You can however configure the computer with Group Policy restrictions for
the user to prevent access to the command prompt, edit the registry, prevent
access to .msc files used my mmc snapins, etc in an attempt to restrict the
administrator. For many users this may work just fine as they do not
understand the concept of the administrator account nor care about it
however a skilled user could most likely bypass restrictions to do the type
of damage you are concerned about if they were so inclined. --- Steve
 
Ultimately you can not do that and just to make it clear users do not need
to be domain administrators to do what you want - but local administrators
on their domain computers if you are talking about an Active Directory
domain.

If the software applications are .msi packages you can use Group Policy
Software Installation to assign or publish .msi packages so that regular
users can have them installed without administrator intervention.

You can however configure the computer with Group Policy restrictions for
the user to prevent access to the command prompt, edit the registry, prevent
access to .msc files used my mmc snapins, etc in an attempt to restrict the
administrator. For many users this may work just fine as they do not
understand the concept of the administrator account nor care about it
however a skilled user could most likely bypass restrictions to do the type
of damage you are concerned about if they were so inclined. --- Steve
Click to expand...

Thanks Steve. That's an informative answer. THese are workgroup, not
domain machines - which is why I don't mind them being local
administrators. Any "real" applications are already installed but they
want to be able to install their own software . It's not a situation
where I would be able to set up installs for the packages. At the same
time, I'd prefer them not to go creating more accounts or changing
passwords that other folks use.

Sounds like I can't have my cake and eat it too though.

Bob
 
That is aptly stated, have the cake and eat it too . . .
I believe that the reasoning why there is nothing provided to do
what you are after runs along the line of "well, if they can install
things, they can install things that will let them do what being an
admin would allow, so why bother limiting this?"
 
In my opinion the fact that it is not a domain does not diminish the impact
or damage a user can do being an administrator on their own computers and
possibly impact other computers on the network. Such a user is much more
likely to have a lot of spyware and introduce a backdoor or worm into the
network and they can reconfigure or disable antivirus software, personal
firewalls, tcp/ip settings, change passwords on their computer only, etc.
Having said that there are certainly business and political reasons in cases
to make a user a local administrator and not all users are malicious or
overly curious. That is a call you have to make. You can also use Group
Policy on a local computer via gpedit.msc though by default it will apply to
all users on the computer which can make it difficult to manage though one
solution would be to use a remote computer on the network to manage Group
Policy via the mmc snapin for Group Policy editor and navigate to the
computer you want to manage assuming someone did not change your
administrator password. For Windows XP MS has released the Shared Computer
Toolkit [ hooray!] that makes it much easier to give different lockdown
settings to users on the same computer though again locking down a user that
is a local administrator that is allowed to install applications can not
really be done effectively depending on the skills and intentions of the
user and MS discusses this in the documentation. Often users post in this
newsgroup that also use XP so if that is the case for you be sure to check
it out at the link below. --- Steve

http://www.microsoft.com/windowsxp/sharedaccess/overview.mspx
 
Back
Top