Guest Gunna Posted July 15, 2008 Posted July 15, 2008 Hi, I have a need to put an Active Directory group into the Administrators group on a number of machines for various reasons which cannot be stopped. The problem is there is an application on these machines that I do no want them to be able to access and the aaplication has no ability to request crednetials etc. It's just a dumb application. I considered using FOlder permissions to lock out the local administrator group from the folder. This stopped them from running the application until I when in as one of the users and simple took ownership of the folder and gave myself access. Then I tried adding a deny take ownership of the folder to the local admin group. Again it just allowed me to take ownership assuming becuase local admins can do that regardless of the deny rule I just created. Can anyone suggest how to stop them taking ownsership and from being able to run the application? Quote
Guest Shenan Stanley Posted July 15, 2008 Posted July 15, 2008 Gunna wrote:<span style="color:blue"> > I have a need to put an Active Directory group into the > Administrators group on a number of machines for various reasons > which cannot be stopped. The problem is there is an application on > these machines that I do no want them to be able to access and the > aaplication has no ability to request crednetials etc. It's just a > dumb application. > > I considered using FOlder permissions to lock out the local > administrator group from the folder. This stopped them from > running the application until I when in as one of the users and > simple took ownership of the folder and gave myself access. Then I > tried adding a deny take ownership of the folder to the local admin > group. Again it just allowed me to take ownership assuming becuase > local admins can do that regardless of the deny rule I just created. > > Can anyone suggest how to stop them taking ownsership and from > being able to run the application?</span> If someone is an administrator on a computer - other than encryption and other password-based limitations - you are not going to 'stop' them from doing just about anything they please. In other words - "administrators" is the default name of the group for a reason. They can administer everything on the computer as they see fit. What is this unstoppable reason to make these users administrators? Political I assume? -- Shenan Stanley MS-MVP -- How To Ask Questions The Smart Way http://www.catb.org/~esr/faqs/smart-questions.html Quote
Guest Gunna Posted July 15, 2008 Posted July 15, 2008 Yeh i thought you might say that. Partly political partly just a US company and US mentality that "we" must be in control of all things... "Shenan Stanley" wrote: <span style="color:blue"> > Gunna wrote:<span style="color:green"> > > I have a need to put an Active Directory group into the > > Administrators group on a number of machines for various reasons > > which cannot be stopped. The problem is there is an application on > > these machines that I do no want them to be able to access and the > > aaplication has no ability to request crednetials etc. It's just a > > dumb application. > > > > I considered using FOlder permissions to lock out the local > > administrator group from the folder. This stopped them from > > running the application until I when in as one of the users and > > simple took ownership of the folder and gave myself access. Then I > > tried adding a deny take ownership of the folder to the local admin > > group. Again it just allowed me to take ownership assuming becuase > > local admins can do that regardless of the deny rule I just created. > > > > Can anyone suggest how to stop them taking ownsership and from > > being able to run the application?</span> > > If someone is an administrator on a computer - other than encryption and > other password-based limitations - you are not going to 'stop' them from > doing just about anything they please. > > In other words - "administrators" is the default name of the group for a > reason. They can administer everything on the computer as they see fit. > > What is this unstoppable reason to make these users administrators? > Political I assume? > > -- > Shenan Stanley > MS-MVP > -- > How To Ask Questions The Smart Way > http://www.catb.org/~esr/faqs/smart-questions.html > > > </span> Quote
Guest Malke Posted July 15, 2008 Posted July 15, 2008 Gunna wrote: <span style="color:blue"> > Yeh i thought you might say that. Partly political partly just a US > company > and US mentality that "we" must be in control of all things...</span> Interesting. I would have thought that was a human condition and not limited to a national mindset. In any case, Shenan is correct. If you are going to give your users administrative powers, then they can do anything they want. End of story. Either find a way to do what you need that doesn't include making your users administrators or live with the consequences. Document your actions. CYA isn't limited to any particular country. Malke -- MS-MVP Elephant Boy Computers - Don't Panic! FAQ - http://www.elephantboycomputers.com/#FAQ Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.