Educause Security Discussion mailing list archives

Re: Administrative v/s power user Access for Staff and students

From: Brian Desmond <brian.desmond () MORANTECHNOLOGY COM>
Date: Fri, 6 Mar 2009 13:41:42 -0600

You can also push the ACLs down natively with Group Policy too - there's a
File Security section which lets you define arbitrary file/folder ACLs.



In any case, Process Monitor from Sysinternals (free) is your best friend
for troubleshooting this stuff as like Mike says, it's usually the root
cause for apps to not work under limited privs.



Thanks,

Brian Desmond

brian.desmond () morantechnology com



c - 312.731.3132



Active Directory, 4th Ed -  <http://www.briandesmond.com/ad4/>
http://www.briandesmond.com/ad4/

Microsoft MVP -  <https://mvp.support.microsoft.com/profile/Brian>
https://mvp.support.microsoft.com/profile/Brian





From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Tupker, Mike
Sent: Friday, March 06, 2009 1:11 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Administrative v/s power user Access for Staff and
students



We have made all of our employees power users. Students in the labs get
standard user rights assigned to them. Most admin right issues that I've
seen can be fixed by granting write access to an application directory. Is
situations like that we have a startup script that will use the cacls.exe
command to change directory ACLs.



Mike Tupker

Systems Administrator

Mount Mercy College

Office: (319) 363-1323 x1401

Mobile: (319) 538-1644

If you need assistance with an computer issue please contact the helpdesk at
x4357 or http://help.mtmercy.edu.



From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Anand S Malwade
Sent: Friday, March 06, 2009 12:32 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Administrative v/s power user Access for Staff and
students



I was wondering what other universities are doing in limiting administrative
access on Desktops and laptops for Staff ?

The rationale being as we know that enterprise workstations run as
administrator also makes the network vulnerable to malware including
viruses, Trojan horses, spyware, adware and unintentional user damage.
Malware can exploit a local administrator account's system-level access to
damage files, change system configurations, and even transmit confidential
data outside of the network. Ensuring that all users run as standard users
is the primary way to help mitigate the impact.

Has anyone tried giving Power User level access as opposed to full admin
rights and if yes what was the overall experience ?



Thanks,

Anand





Anand Malwade

Information Security Officer,

Seton Hall University,

Current thread:

Administrative v/s power user Access for Staff and students Anand S Malwade (Mar 06)
- <Possible follow-ups>
- Re: Administrative v/s power user Access for Staff and students Tupker, Mike (Mar 06)
- Re: Administrative v/s power user Access for Staff and students Brian Desmond (Mar 06)
- Re: Administrative v/s power user Access for Staff and students Stanclift, Michael (Mar 06)
- Re: Administrative v/s power user Access for Staff and students Gary Flynn (Mar 06)
- Re: Administrative v/s power user Access for Staff and students Brian K . Doré (Mar 06)
- Re: Administrative v/s power user Access for Staff and students Kevin Shalla (Mar 09)