|
Posted by =?Utf-8?B?R3VubmE=?= on July 14, 2008, 11:25 pm
If you were Registered and logged in, you could reply and use other advanced thread options
and US mentality that "we" must be in control of all things...
"Shenan Stanley" wrote:
> Gunna wrote:
> > I have a need to put an Active Directory group into the
> > Administrators group on a number of machines for various reasons
> > which cannot be stopped. The problem is there is an application on
> > these machines that I do no want them to be able to access and the
> > aaplication has no ability to request crednetials etc. It's just a
> > dumb application.
> >
> > I considered using FOlder permissions to lock out the local
> > administrator group from the folder. This stopped them from
> > running the application until I when in as one of the users and
> > simple took ownership of the folder and gave myself access. Then I
> > tried adding a deny take ownership of the folder to the local admin
> > group. Again it just allowed me to take ownership assuming becuase
> > local admins can do that regardless of the deny rule I just created.
> >
> > Can anyone suggest how to stop them taking ownsership and from
> > being able to run the application?
>
> If someone is an administrator on a computer - other than encryption and
> other password-based limitations - you are not going to 'stop' them from
> doing just about anything they please.
>
> In other words - "administrators" is the default name of the group for a
> reason. They can administer everything on the computer as they see fit.
>
> What is this unstoppable reason to make these users administrators?
> Political I assume?
>
> --
> Shenan Stanley
> MS-MVP
> --
> How To Ask Questions The Smart Way
> http://www.catb.org/~esr/faqs/smart-questions.html
>
>
>
| 
XML site map