If they have local admin rights, it's a trivial task to add their
non-admin (are you referring to non-domain-admin?) domain account to the
local administrator's group and be done with silly restrictions. Unless
you're controlling local admin group membership via GP - but since
you're using unique local administrative accounts I'm thinking you're
not controlling membership via GP
You stated that they have local admin rights because taking them away is
not an easy thing to do - since you are an academic environment. Well,
I think that's a political thing, not something related to the
environment you're in. Everyone "needs" admin access, just ask them.
It's not just an academic thing. course, you didn't ask us (or me)
an opinion on admin rights. I just wanted to point out that if you have
problems related to that, you might want to revisit the issue and know
that [IMH] the "need" for admin rights is not a special academic
environment need.
Anyway I probably missed a post somewhere, but why the Herculean efforts
to block IE7? I'm just curious.
Rich Milburn
MCSE, Microsoft MVP - Directory Services
Sr Network Analyst, Field Platform Development
Applebee's International, Inc.
4551 W. 107th St
Park, KS 66207
913-967-2819
"I love the smell of red herrings in the morning" - anonymous
Message
From: ActiveDir-owner (AT) mail (DOT) activedir.org
[mailto:ActiveDir-owner (AT) mail (DOT) activedir.org] Behalf Rob MIR
Sent: Sunday, 22, 2006 1:32 PM
To: ActiveDir (AT) mail (DOT) activedir.org; ActiveDir (AT) mail (DOT) activedir.org
Subject: RE: [ActiveDir] Blocking IE7
Yes but my point was that the moment you decide "We're gonna give
{someone} admin rights" you've totally conceeded control of the machine
and you're reliant on their co-operation. If someone wants IE7 on their
machine in your environment, they *will* have it.
As you can see from the sig in my last message, I'm quite familiar with
academic environments.
Message
From: ActiveDir-owner (AT) mail (DOT) activedir.org on behalf of Lucas, Bryan
Sent: Fri 20/10/2006 15:51
To: ActiveDir (AT) mail (DOT) activedir.org
Subject: RE: [ActiveDir] Blocking IE7
Being an academic environment, taking administrative rights away from
users is not an easy thing to accomplish. The compromise was to have
their domain account (which they are logged in as 99% of the time) a
non-admin, but then give them the admin rights in the form of a separate
local account unique to their workstation.
This makes them safer while browsing and requires them to go through a
very conscious extra set of steps to install new hw/sw.
It has worked very well, cut down on spyware/junkware as well as served
as a training ground both for us and the users for the upcoming Vista
model.
Bryan Lucas
Server Administrator
Texas Christian University
Message
From: ActiveDir-owner (AT) mail (DOT) activedir.org
[mailto:ActiveDir-owner (AT) mail (DOT) activedir.org] Behalf Rob MIR
Sent: Friday, 20, 2006 6:58 AM
To: ActiveDir (AT) mail (DOT) activedir.org
Subject: RE: [ActiveDir] Blocking IE7
And now I'm really confused. Why make your users admins and then lock
down the ways they can admin the system?