| Author | Messages | |
sekinj
Posts:7
 | | 12/13/2009 9:24 PM |
|
Hi! I want to have my gpo take admin privileges away from everyone in my domain, and leave them only the ability to add printers, do updates, and map drives... Is this possible? Are there online resources that can help me, or does someone know what changes I need to make the gpo?
Thank you!
-sekinj
| | | |
| davesharples
Posts:55
| | 12/13/2009 9:24 PM |
| You can use group policy preferences to make changes to the admin group
Empty it out, then add whoever you want back in
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of sekinj
Sent: 05 October 2009 14:32
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] remove Admin rights via gpo?
Hi! I want to have my gpo take admin privileges away from everyone in my domain, and leave them only the ability to add printers, do updates, and map drives... Is this possible? Are there online resources that can help me, or does someone know what changes I need to make the gpo?
Thank you!
-sekinj
| | | |
| JamieNelson
Posts:166
| | 12/13/2009 9:24 PM |
| You would only need rights to install print drivers, not the print queue
itself. You can change this in security policy by disabling the
"Devices: Prevent users from installing printer drivers" policy in
Computer Configuration > Windows Settings > Security Settings > Local
Policies > Security Options.
You can manage the membership of the Local Administrators group via
Restricted Groups policy. You simply specify which groups/users are
authorized to be in a group and policy will remove everything else. You
can also do the same thing with Group Policy Preferences, although it is
slightly different. However it also gives you a little more flexibility.
Jamie Nelson | Sr. Administrator | BI&T Infrastructure-Intel | Devon
Energy Corporation | Work: 405.552.8054 | Mobile: 405.248.7963 |
http://www.dvn.com <http://www.dvn.com/>
From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx] On Behalf Of Dave Sharples
Sent: Monday, October 05, 2009 8:40 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] remove Admin rights via gpo?
Don't need admin rights to do those anyway, so shouldn't be affected
From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx] On Behalf Of xxxxxxxxxxxxxxxx
Sent: 05 October 2009 14:39
To: xxxxxxxxxxxxxxxx
Subject: Re: [gptalk] remove Admin rights via gpo?
Ok. Is there a way to leave people with the rights to add printers, map
drives, and do windows updates?
Sent on the Sprint(r) Now Network from my BlackBerry(r)
________________________________
From: Dave Sharples <xxxxxxxxxxxxxxxx>
Date: Mon, 5 Oct 2009 14:35:29 +0100
To: xxxxxxxxxxxxxxxx<xxxxxxxxxxxxxxxx>
Subject: RE: [gptalk] remove Admin rights via gpo?
You can use group policy preferences to make changes to the admin group
Empty it out, then add whoever you want back in
From: xxxxxxxxxxxxxxxx
[mailto:xxxxxxxxxxxxxxxx] On Behalf Of sekinj
Sent: 05 October 2009 14:32
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] remove Admin rights via gpo?
Hi! I want to have my gpo take admin privileges away from everyone in
my domain, and leave them only the ability to add printers, do updates,
and map drives... Is this possible? Are there online resources that can
help me, or does someone know what changes I need to make the gpo?
Thank you!
-sekinj
Confidentiality Warning: This message and any attachments are intended only for the use of the intended recipient(s), are confidential, and may be privileged.
If you are not the intended recipient, you are hereby notified that any review, retransmission, conversion to hard copy, copying, circulation or other use of all or any portion of this message and any attachments is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, and delete this message and any attachments from your system.
| | | |
| kcnychief
Posts:0
| | 12/13/2009 9:24 PM |
| Does this not technically work on Vista? I only ask because by default the value is disabled yet non-admins receive UAC prompts when trying to install printer drivers.
[cid:image001.png@01CA45D4.40F5BBF0]
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Nelson, Jamie
Sent: Monday, October 05, 2009 10:17 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] remove Admin rights via gpo?
You would only need rights to install print drivers, not the print queue itself. You can change this in security policy by disabling the "Devices: Prevent users from installing printer drivers" policy in Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options.
You can manage the membership of the Local Administrators group via Restricted Groups policy. You simply specify which groups/users are authorized to be in a group and policy will remove everything else. You can also do the same thing with Group Policy Preferences, although it is slightly different. However it also gives you a little more flexibility.
Jamie Nelson | Sr. Administrator | BI&T Infrastructure-Intel | Devon Energy Corporation | Work: 405.552.8054 | Mobile: 405.248.7963 | http://www.dvn.com<http://www.dvn.com/>
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Dave Sharples
Sent: Monday, October 05, 2009 8:40 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] remove Admin rights via gpo?
Don't need admin rights to do those anyway, so shouldn't be affected
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of xxxxxxxxxxxxxxxx
Sent: 05 October 2009 14:39
To: xxxxxxxxxxxxxxxx
Subject: Re: [gptalk] remove Admin rights via gpo?
Ok. Is there a way to leave people with the rights to add printers, map drives, and do windows updates?
Sent on the Sprint(r) Now Network from my BlackBerry(r)
________________________________
From: Dave Sharples <xxxxxxxxxxxxxxxx>
Date: Mon, 5 Oct 2009 14:35:29 +0100
To: xxxxxxxxxxxxxxxx<xxxxxxxxxxxxxxxx>
Subject: RE: [gptalk] remove Admin rights via gpo?
You can use group policy preferences to make changes to the admin group
Empty it out, then add whoever you want back in
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of sekinj
Sent: 05 October 2009 14:32
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] remove Admin rights via gpo?
Hi! I want to have my gpo take admin privileges away from everyone in my domain, and leave them only the ability to add printers, do updates, and map drives... Is this possible? Are there online resources that can help me, or does someone know what changes I need to make the gpo?
Thank you!
-sekinj
________________________________
Confidentiality Warning: This message and any attachments are intended only for the use of the intended recipient(s), are confidential, and may be privileged. If you are not the intended recipient, you are hereby notified that any review, retransmission, conversion to hard copy, copying, circulation or other use of all or any portion of this message and any attachments is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, and delete this message and any attachments from your system.
________________________________
CONFIDENTIALITY NOTICE: This e-mail message (including attachments) is covered by the Electronic Communications Privacy Act, 18 U.S.C. 2510-2521, and is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any unauthorized review, use, disclosure, dissemination, copying, forwarding or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. If you are the intended recipient but do not wish to receive communication through this medium, please so advise the sender immediately.
| | | |
|
|