Options

Group Policy - Non-Admin Rights Question

Stiltz79Stiltz79 Member Posts: 74 ■■□□□□□□□□
in Off-Topic
I working on building a GPO to assist with removing local admin rights for users. I'm running into a problem where I would like to use GPO to allow non-admin to install local printers and other hardware. I Googled a bunch of research and came up with some solutions, but they don't seem to be functioning the way I want them to. Here's the link to solution I'm using:

http://social.technet.microsoft.com/Forums/en-US/w7itprosecurity/thread/df21

Am I missing something? Are there other policies that need to be changed also? I'm a trainee admin at my job and this is part of our planning for Windows 7 Implementation. Any help would be appreciated.
· Share on FacebookShare on Twitter

Comments

  • Options
    DevilsbaneDevilsbane Member Posts: 4,214 ■■■■■■■■□□
    By configuring the Restricted groups policy located under Computer --> Windows Settings --> Security Settings you can restrict which users are members of the local admin groups. By not adding a person to a restricted group here, everytime the policy is refreshed the users not on that list will be removed from the local administrator group.

    You can then allow authenticated users to load and unload device drivers by going to Computer --> Windows Settings --> Security Settings- User Rights Assignment.

    You could also add these users to the local power users group, but that might give them more access than you wanted.
    Decide what to be and go be it.
    · Share on FacebookShare on Twitter
  • Options
    Stiltz79Stiltz79 Member Posts: 74 ■■□□□□□□□□
    Is there something wrong with the way I approaching this problem originally? I only want to allow them to install certain pieces of hardware, specifically printers.
    · Share on FacebookShare on Twitter
  • Options
    DevilsbaneDevilsbane Member Posts: 4,214 ■■■■■■■■□□
    Stiltz79 wrote: »
    Is there something wrong with the way I approaching this problem originally? I only want to allow them to install certain pieces of hardware, specifically printers.

    I've never used it in a production enviornment, but to my knowledge it's opening the barn door for your users.

    Where I work we don't allow our users to install printers, even laptop users. If someone needs to, they call our help desk and get a ticket opened. The security team will them place them temporarily in a group (for like 24 hours) that allows them to install and then removes them.

    It really isn't much more secure since there are little or no restrictions on being added to this group and an intelligent user could request it whenever they wanted the power. But it should stop the casual user from making a mess.
    Load and unload device drivers
    This user right determines which users can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. It is recommended that you do not assign this privilege to other users. Instead, use the StartService() API.
    Default: Administrators
    Caution:
    Assigning this user right can be a security risk. Do not assign this user right to any user, group, or process that you do not want to take over the system.
    Decide what to be and go be it.
    · Share on FacebookShare on Twitter
Sign In or Register to comment.