Limit Rights Of Local Administrators By Using Group Policy?

Discussion in 'Server Security' started by Mygposts, Mar 12, 2009.

  1. Mygposts

    Mygposts Guest

    We have some laptops that we will be loaning out to users and they need
    Administrator rights for the purpose of installing and using their own
    personal wireless NIC cards since the laptops don't have them and they have a
    need for wireless access at home. They do not need admin rights for anything
    else.
    We do not want them downloading or installing anything else. The laptops
    are supposed to be only used for the purpose of remote controlling their
    desktop that remains in the office by using RDP over a VPN connection.
    We would like to restrict the users so all they can do is log in, install
    and configure their wireless card, verify internet connectivity, launch the
    VPN software and launch remote desktop software to access the remote PC.

    Is there some way to restrict the users to only performing those tasks while
    still having the needed rights to install the wireless nic cards?
     
    Mygposts, Mar 12, 2009
    #1
    1. Advertisements

  2. Howdie!
    Then find a way to install the NIC cards for them. Don't let them
    install them themselves. Put them into the "Network Operators" group
    (Windows XP and above) so they can change IP settings and stuff - but
    don't grant them admin permission on the boxes in the first place.
    The thing is -- an admin is an admin. You can't put things into place an
    admin can't revert. Even taking permissions on folders can be reverted
    by simply taking ownership of it and applying different settings. The
    same applies for GP - although it's a little harder.

    GPs are applied periodically in the background - but admins are allowed
    to change the registry settings GP puts into place (to restrict access
    to features/hide things,... you get the picture). They can revert the
    settings you put into place with GP.

    The bottom line is: make them non-admin.

    Cheers,
    Florian
     
    Florian Frommherz [MVP], Mar 12, 2009
    #2
    1. Advertisements

  3. I second Florian's comments. There is no such thing as a limited
    administrator. If they need wireless, either install the cards for them or
    replace these laptops with ones that have internal wireless adapters.
     
    Lanwench [MVP - Exchange], Mar 13, 2009
    #3
  4. Mygposts

    Al Dunbar Guest

    "Lanwench [MVP - Exchange]"
    Agreed. One more reason to have the laptop configuration done by qualified
    IT staff is that this should reduce the likelihood of a misconfiguration
    that would keep the user from achieving the remote connection into your
    network.

    /Al
     
    Al Dunbar, Mar 15, 2009
    #4
  5. Truly interesting debate. A lot of times people in the field really,
    really, really, need to install stuff. And they really, really, really will
    yell at you and bring in the old supervisor. There is a need for much more
    granular administrative control in Windows.

    I made another post about this topic on 4/17/2009. New thread.

    As far as 'an admin being an admin' this is bogus and wrong (whew! glad I
    got that off my chest.) The CIA doesn't do things like that and neither
    could large organizations, such as IBM or EDS, or any fortune 500 company.
    Microsoft has to have a separate version of MSGINA or the entire LSASS that
    works around this problem which they only make available for megabucks.

    Why don't they have more granular security? Because every time your
    organization has to set up a security scope, you spend more money for
    equipment and software. Part of the old 'one computer and one operating
    system per desktop' business plan. Microsoft doesn't even like multiboot
    computers, let alone virtual machines.

    You can delegate certain functions within an OU boundary -- that's well and
    good, but some things about the security structure of the OS are just so
    weird. Psychologically, admins don't share anything.

    Now that I'm aware this group exists I will need to read it more
    attentively.



     
    Robert Hindla, Apr 20, 2009
    #5
  6. Mygposts

    Al Dunbar Guest

    Don't make the mistake of assuming that all organizations have all of the
    same issues. There are NO times at which ANYONE other than an admin actually
    needs to install stuff in our organization.
    Our IT policies are adopted as business policies. A supervisor can yell at
    me all he or she wants. Since I can only comply by violating the business
    policies I am required ot observe, it is not up to me to make a judgment
    call.

    Sure, some of our people feel they need to be able to install software. But
    this turns out to always be a misunderstanding. In some cases they just need
    to use the software (i.e. once we install it), in other cases, they have
    extrapolated their business problem to a software solution that they do not
    have the authority to implement.
    I wouldn't necessarily disagree with you on that one...
    Pretty vague comments. What specifically does the CIA not do?
    How can you say that, when they provide Virtual PC licenses for free?
    IMHO, some of that is not so much by design (as you seem to imply) but
    because of how the o/s works from the point of view of managing it.
    I'm not sure what you mean by that.

    /Al
     
    Al Dunbar, Apr 21, 2009
    #6
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.