Limit Rights Of Local Administrators By Using Group Policy?

We have some laptops that we will be loaning out to users and they need
Administrator rights for the purpose of installing and using their own
personal wireless NIC cards since the laptops don't have them and they have a
need for wireless access at home. They do not need admin rights for anything
else.
We do not want them downloading or installing anything else. The laptops
are supposed to be only used for the purpose of remote controlling their
desktop that remains in the office by using RDP over a VPN connection.
We would like to restrict the users so all they can do is log in, install
and configure their wireless card, verify internet connectivity, launch the
VPN software and launch remote desktop software to access the remote PC.

Is there some way to restrict the users to only performing those tasks while
still having the needed rights to install the wireless nic cards?

Howdie!

Mygposts wrote:
> We have some laptops that we will be loaning out to users and they need
> Administrator rights for the purpose of installing and using their own
> personal wireless NIC cards since the laptops don't have them and they have a
> need for wireless access at home. They do not need admin rights for anything
> else.

Then find a way to install the NIC cards for them. Don't let them
install them themselves. Put them into the "Network Operators" group
(Windows XP and above) so they can change IP settings and stuff - but
don't grant them admin permission on the boxes in the first place.

> Is there some way to restrict the users to only performing those tasks while
> still having the needed rights to install the wireless nic cards?

The thing is -- an admin is an admin. You can't put things into place an
admin can't revert. Even taking permissions on folders can be reverted
by simply taking ownership of it and applying different settings. The
same applies for GP - although it's a little harder.

GPs are applied periodically in the background - but admins are allowed
to change the registry settings GP puts into place (to restrict access
to features/hide things,... you get the picture). They can revert the
settings you put into place with GP.

The bottom line is: make them non-admin.

Cheers,
Florian
--
Microsoft MVP - Group Policy
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
Maillist (german): http://frickelsoft.net/cms/index.php?page=mailingliste

Mygposts <> wrote:
> We have some laptops that we will be loaning out to users and they
> need Administrator rights for the purpose of installing and using
> their own personal wireless NIC cards since the laptops don't have
> them and they have a need for wireless access at home. They do not
> need admin rights for anything else.
> We do not want them downloading or installing anything else. The
> laptops are supposed to be only used for the purpose of remote
> controlling their desktop that remains in the office by using RDP
> over a VPN connection.
> We would like to restrict the users so all they can do is log in,
> install and configure their wireless card, verify internet
> connectivity, launch the VPN software and launch remote desktop
> software to access the remote PC.
>
> Is there some way to restrict the users to only performing those
> tasks while still having the needed rights to install the wireless
> nic cards?

I second Florian's comments. There is no such thing as a limited
administrator. If they need wireless, either install the cards for them or
replace these laptops with ones that have internal wireless adapters.

"Lanwench [MVP - Exchange]"
< hoo.com> wrote in message
news:%23wwBgS%...
> Mygposts <> wrote:
>> We have some laptops that we will be loaning out to users and they
>> need Administrator rights for the purpose of installing and using
>> their own personal wireless NIC cards since the laptops don't have
>> them and they have a need for wireless access at home. They do not
>> need admin rights for anything else.
>> We do not want them downloading or installing anything else. The
>> laptops are supposed to be only used for the purpose of remote
>> controlling their desktop that remains in the office by using RDP
>> over a VPN connection.
>> We would like to restrict the users so all they can do is log in,
>> install and configure their wireless card, verify internet
>> connectivity, launch the VPN software and launch remote desktop
>> software to access the remote PC.
>>
>> Is there some way to restrict the users to only performing those
>> tasks while still having the needed rights to install the wireless
>> nic cards?
>
> I second Florian's comments. There is no such thing as a limited
> administrator. If they need wireless, either install the cards for them or
> replace these laptops with ones that have internal wireless adapters.

Agreed. One more reason to have the laptop configuration done by qualified
IT staff is that this should reduce the likelihood of a misconfiguration
that would keep the user from achieving the remote connection into your
network.

/Al

Truly interesting debate. A lot of times people in the field really,
really, really, need to install stuff. And they really, really, really will
yell at you and bring in the old supervisor. There is a need for much more
granular administrative control in Windows.

I made another post about this topic on 4/17/2009. New thread.

As far as 'an admin being an admin' this is bogus and wrong (whew! glad I
got that off my chest.) The CIA doesn't do things like that and neither
could large organizations, such as IBM or EDS, or any fortune 500 company.
Microsoft has to have a separate version of MSGINA or the entire LSASS that
works around this problem which they only make available for megabucks.

Why don't they have more granular security? Because every time your
organization has to set up a security scope, you spend more money for
equipment and software. Part of the old 'one computer and one operating
system per desktop' business plan. Microsoft doesn't even like multiboot
computers, let alone virtual machines.

You can delegate certain functions within an OU boundary -- that's well and
good, but some things about the security structure of the OS are just so
weird. Psychologically, admins don't share anything.

Now that I'm aware this group exists I will need to read it more
attentively.



On 3/15/09 2:06 AM, in article , "Al
Dunbar" <> wrote:

>
> "Lanwench [MVP - Exchange]"
> < hoo.com> wrote in message
> news:%23wwBgS%...
>> Mygposts <> wrote:
>>> We have some laptops that we will be loaning out to users and they
>>> need Administrator rights for the purpose of installing and using
>>> their own personal wireless NIC cards since the laptops don't have
>>> them and they have a need for wireless access at home. They do not
>>> need admin rights for anything else.
>>> We do not want them downloading or installing anything else. The
>>> laptops are supposed to be only used for the purpose of remote
>>> controlling their desktop that remains in the office by using RDP
>>> over a VPN connection.
>>> We would like to restrict the users so all they can do is log in,
>>> install and configure their wireless card, verify internet
>>> connectivity, launch the VPN software and launch remote desktop
>>> software to access the remote PC.
>>>
>>> Is there some way to restrict the users to only performing those
>>> tasks while still having the needed rights to install the wireless
>>> nic cards?
>>
>> I second Florian's comments. There is no such thing as a limited
>> administrator. If they need wireless, either install the cards for them or
>> replace these laptops with ones that have internal wireless adapters.
>
> Agreed. One more reason to have the laptop configuration done by qualified
> IT staff is that this should reduce the likelihood of a misconfiguration
> that would keep the user from achieving the remote connection into your
> network.
>
> /Al
>
>

"Robert Hindla" <> wrote in message
news:C6123942.1D58F%...
> Truly interesting debate. A lot of times people in the field really,
> really, really, need to install stuff.

Don't make the mistake of assuming that all organizations have all of the
same issues. There are NO times at which ANYONE other than an admin actually
needs to install stuff in our organization.

> And they really, really, really will
> yell at you and bring in the old supervisor.

Our IT policies are adopted as business policies. A supervisor can yell at
me all he or she wants. Since I can only comply by violating the business
policies I am required ot observe, it is not up to me to make a judgment
call.

Sure, some of our people feel they need to be able to install software. But
this turns out to always be a misunderstanding. In some cases they just need
to use the software (i.e. once we install it), in other cases, they have
extrapolated their business problem to a software solution that they do not
have the authority to implement.

> There is a need for much more
> granular administrative control in Windows.

I wouldn't necessarily disagree with you on that one...

> I made another post about this topic on 4/17/2009. New thread.
>
> As far as 'an admin being an admin' this is bogus and wrong (whew! glad I
> got that off my chest.) The CIA doesn't do things like that and neither
> could large organizations, such as IBM or EDS, or any fortune 500 company.

Pretty vague comments. What specifically does the CIA not do?

> Microsoft has to have a separate version of MSGINA or the entire LSASS
> that
> works around this problem which they only make available for megabucks.
>
> Why don't they have more granular security? Because every time your
> organization has to set up a security scope, you spend more money for
> equipment and software. Part of the old 'one computer and one operating
> system per desktop' business plan. Microsoft doesn't even like multiboot
> computers, let alone virtual machines.

How can you say that, when they provide Virtual PC licenses for free?

> You can delegate certain functions within an OU boundary -- that's well
> and
> good, but some things about the security structure of the OS are just so
> weird.

IMHO, some of that is not so much by design (as you seem to imply) but
because of how the o/s works from the point of view of managing it.

> Psychologically, admins don't share anything.

I'm not sure what you mean by that.

/Al

> Now that I'm aware this group exists I will need to read it more
> attentively.
>
>
>
> On 3/15/09 2:06 AM, in article , "Al
> Dunbar" <> wrote:
>
>>
>> "Lanwench [MVP - Exchange]"
>> < hoo.com> wrote in
>> message
>> news:%23wwBgS%...
>>> Mygposts <> wrote:
>>>> We have some laptops that we will be loaning out to users and they
>>>> need Administrator rights for the purpose of installing and using
>>>> their own personal wireless NIC cards since the laptops don't have
>>>> them and they have a need for wireless access at home. They do not
>>>> need admin rights for anything else.
>>>> We do not want them downloading or installing anything else. The
>>>> laptops are supposed to be only used for the purpose of remote
>>>> controlling their desktop that remains in the office by using RDP
>>>> over a VPN connection.
>>>> We would like to restrict the users so all they can do is log in,
>>>> install and configure their wireless card, verify internet
>>>> connectivity, launch the VPN software and launch remote desktop
>>>> software to access the remote PC.
>>>>
>>>> Is there some way to restrict the users to only performing those
>>>> tasks while still having the needed rights to install the wireless
>>>> nic cards?
>>>
>>> I second Florian's comments. There is no such thing as a limited
>>> administrator. If they need wireless, either install the cards for them
>>> or
>>> replace these laptops with ones that have internal wireless adapters.
>>
>> Agreed. One more reason to have the laptop configuration done by
>> qualified
>> IT staff is that this should reduce the likelihood of a misconfiguration
>> that would keep the user from achieving the remote connection into your
>> network.
>>
>> /Al
>>
>>
>
>