More and more
programs are upgrading themselves while Your users are logged in, but
even if You donít have such programs, maybe You decided, that Your
users must be able to install programs on their Windows 2000/XP
client-computer running on Your network.
Installing programs on a Windows 2000/XP client computer is another matter. Because there are many different restrictions in the operation system, because of the Local Groups on the hard disk.
group is the LocalAdministratorsGroup. Members of this group can
install programs, because the operating system grants this group rights
to save files in the C:\WINNT\SYSTEM32-folder and to change the
important parts of the registry.
Any of these solutions makes the security hole work!
If You have many client computers it is a hard work for You if You want to stop the security hole.
only way until now, is to remove everybody but the
LocalAdministrator and GlobalDomainAdminsGroup, and only add the one
and only DomainUser who uses the client computer.
also makes the security hole
BUT while the DomainUser is a member of the Local Admin Group, he/she can make a new local user on every computer on the network, and grant this local user membership of the Local Admin Group on every computer.
And the DomainUser can do it from his/hers own computer without anyone seeing anything about it.
So - if You have such a DomainUser, he/she will retain the total admin power every computer on Your network, even after You have removed the DomainUser from one of the above mentioned GlobalDomainGroups
Another problem is releasing the password for the LocalAdministrator. You have probably set the same password for the LocalAdministrator to the same on all Your computers. Otherwise You canít support/rescue these computers, if You donít know the password.
But releasing the password to an DomainUser, when Your user must install programs, or having a DomainUser guessing/hacking the password, he/she will gain TOTAL control over all of the other Windows 2000/XP-client computers, from his/hers own client computer, even if no other that the LocalAdministrator is a member of the LocalAdministratorsGroup!
Because of this security-hole, all Your LocalAdministrators passwords should be different. This shouldn't give You any problems, if You remember to add the GlobalDomainAdminsGroup as a member of the LocalAdmininistratorsGroup on each client computer.
So there is a lot of work running from computer to computer if You want to stop this security hole.
If You want to do all this from Your own Windows 2000/XP client computer, You should consider trying W2kLocalGroupPolicy free on 9 client computers for 90 days.
:o) Your brain is like a parachute. It works best when it's open
w2k local admin group windows 2000/XP permissions
local admin group W2k: Your colleague's got total power of Your pc from his own computer on Your corporate Network: Read TryWareDk's Website - Microsoft Windows 2000/XP HTML Securityhole Member Local Administrators Group Hotfix Admin Admins Administrator Groups Members Security Office program programs software freeware shareware Outlook Distributionsliste Email Adressbook Adressebog Mandatberegning