Administrator vs Power User

[Express]

Hi All,

Ok here's the scenerio I work at a firm which, as anywhere you have your clowns that like to wonder on websites which they shouldnt be on and downloading games and such... yeah they can get terminated thats another story. Currently these users are setup with admin rights due to the trading applications they need to use. Now I have been successful on locking down some apps so they dont need admin rights but there others which need it.

I have been able to place them in to PowerUses and it works as well. My question is what are the main differences between Administrator and PowerUsers. Can they both still do installs and such???? Any advice will be appreciated. My overall goal is to lock the user down that they may only use the computer for its purpose at work without downlaoding stuff which then as we all know it installs adwares, spywares, viruses and etc....

Thanks

EXPRESS

[nitroshift]

i would just deny their access to the internet. simple as that! i know what you are going through as i have had the same problems. i warned the users about accessing some sites and downloading stuff and those who didn't listen got banned from accessing the internet. if it helps, you can achieve that through the group policy on your server. hope this helps you. good luck!

[Express]

nitroshift, sounds like a good idea, but and here is the but. They need to access internet for some of the applications though. We have in place policies that restrict users to websites but we can't get them all. Also I need to restrict these guys from installing apps, like ESPN, Weather tools, etc...

Thanks,

EXPRESS

Edited June 8, 2006 by Express

[Camarade_Tux]

If you know what are the names of the apps they shouldn't run, you can lock them. I think I have something like that at school.

Or, you can have a white-list too.

Or, you can use an app that will close or reduce to taskbar non-wanted apps or windows. You can do that to prevent any download from the internet : cancel will be sent to each download dialog.

Last, you can forbid any ActiveX to install.

As for the difference between power users and Admins, I have no idea.

Except that I dound an interesting page: http://www.sysinternals.com/blog/2006/05/p...ower-users.html

The Power Users group is able to install software, manage power and time-zone settings, and install ActiveX controls, actions that limited Users are denied.

and so on.

[Express]

Hmm sounds interesting how would I do that?

Or, you can use an app that will close or reduce to taskbar non-wanted apps or windows. You can do that to prevent any download from the internet : cancel will be sent to each download dialog.

Thanks,

EXPRESS

[dancity]

Power Users are given privledges to install programs and hardware but necessarily dont havce access to everything in the system Windows, whilest Administrator has full access to everything.

Your best best is to use a software that can (I believe windows security Policy management does this) only let applications on the allowed list run - so you can block out the uncessary aps. Hmm I also think black access to control panel too put some tough restrictions on it:) And keep the net up , and password some websites.

[Camarade_Tux]

Hmm sounds interesting how would I do that?

Or, you can use an app that will close or reduce to taskbar non-wanted apps or windows. You can do that to prevent any download from the internet : cancel will be sent to each download dialog.

Thanks,

EXPRESS

I personnaly use AHK for such purposes. Since I've forgotten something in AHK, I'll only post a full script tonight.

Or, if you only want the thing to cancel downloads : you need the title of the initial download dialog. Then, it should look like

WinWait, the_title_of_the_window
WinMinimize, the_title_of_the_window

And the thing I forgot is the "loop" part.

It is also possible to wait for a few seconds before cancelling. Thus, users should be able to download small files but not bigger ones.

I'll also check if it is possible to filter according to file extensions. But this one is also maybe possible use regedit.

And last, on "blocking" it is possible to have a ballon-tip.

In a few words, I'll try to make a "proof-of-concept" script before going to bed but right now, I have to work.

[Express]

Camarade_Tux, hey that sounds good to me. I will wait patiently that script I'd like to try that.

I have never tried that autohotkey, I will look into it today.

Thanks for all the info.

Edited June 8, 2006 by Express

[bledd]

can't you do a rule that blocks ALL websites apart from ...

so they can ONLY use websites that they ask you to give them access to

[janus zeal]

can't you do a rule that blocks ALL websites apart from ...

so they can ONLY use websites that they ask you to give them access to

yes. you can also use programs like Deep Freeze and Anti-executable.

http://www.faronics.com

Edited June 9, 2006 by janus zeal

[Camarade_Tux]

Express, what is the "exact" title of a download dialog in your language (the thing is case-sensitive) ?

When this windows appears, checks it is active and simulate a press on the ESCAPE key. This cancels the download. It also displays a ballon-tip (can't test the ballon-tip right now cause Litestep [my shell] can not display them)

The title of this window is "Téléchargement de fichier". What's yours ?

It will only cancel the first 1000 downloads. I think it should be enough.

Edited June 9, 2006 by Camarade_Tux

[XP_2600]

Group policy can do alot, just check it.

[Zxian]

From what I can see, you've got two options.

1) Use Group Policies like XP_2600 said to restrict the programs that are allowed to run. Just make sure that all the default startup items are included on that list, as well as mmc.exe and task manager (and the other few common ones).

2) Wouldn't you be able to use "Run As..." for the programs that they need to run as an admin, and give the users a limited or other type of account?