|
Posted by Al Dunbar on July 18, 2007, 11:35 pm
Please log in for more thread options
That would seem to be the case, however, I do not know for sure. I would be
concerned about making anyone able to logon to the server an administrator
at that time without finding a way to ensure that the unqualified will never
be able to logon there. Whether this is done through physical security or
withholding local logon rights does not matter - so long as it works
consistently.
/Al
> so the short answer is add NT AUTHORITY/INTERACTIVE right on the
> workstation
> for the user?
>
> geo
>
>> The trick here is that if you make someone an administrator, you might as
>> well admit that they own it - or will when they figure out how to defeat
>> any
>> tweaks implemented to restrict their access.
>>
>> /Al
>>
>>> Correct. We use it on our user pc's. It gives whoever logs on locally
>>> the
>>> local admin rights to install software. They can not, however, connect
>>> to
>>> any
>>> other pc remotely, except under specific conditions. I.E, they put
>>> themselves in the administrators group on one pc, and then log onto
>>> another
>>> pc.
>>>
>>> Martin X. wrote:
>>>>Carl:
>>>>
>>>>This looks interesting. Does it only limit them to interactive logons at
>>>>the
>>>>console and RDP? So they wouldn't be able to do any admin level stuff
>>>>via
>>>>something like the comp mgt mmc from another computer?
>>>>
>>>>Regards,
>>>>Martin
>>>>
>>>>If you want to allow users full access to a member server, but not the
>>>>domain,
>>>>you can add "NT AUTHORITY\INTERACTIVE" to the administrators group on
>>>>the
>>>>member server. This will grant any logged on user admin rights to the
>>>>member
>>>>server when they are logged into it.
>>>>
>>>>George Hardy wrote:
>>>>>hi all,
>>>>>
>>>>[quoted text clipped - 7 lines]
>>>>>thanks,
>>>>>george hardy
>>>
>>> --
>>> Message posted via http://www.winserverkb.com
>>>
>>
>>
>
>
| 
XML Sitemap