StaplesMan
Technical User
As I have learned over the years in IT ways of doing things seem to change and migrate.
When I first started working with Windows XP in a domain environment and I only wanted the billing department to be able to log into there computers. I would remove the default "authenticated users", "interactive", and "Domain users" out of the users group. I would then put the group I wanted to allow onto that system "Billing" group and leave the administrative group with local "administrator" and "domain admins".
Have done this for years and have had 0 problems! Very secure and works all the time.
Then along comes Windows 7 and UAC and let's just say the first Win7 system I got I did exactly the same as my WinXP friends and all worked perfectly for my users but the administrators could not do anything! I quickly realized that because I took "athenticated users" and "interactive" out of the users list when I log in as an administrator I can no longer run programs because I can't run as a normal user.
Now this has crated a big problem!
I know there are ways via Group Policy's to do what I'm looking for but I'm looking for a quick and simple fix on the desktop it's self to allow me to lock the system down so our billing offices only has access at a user level to log onto the computer. And the domain admins will have administrative and user access to the system.
The only way I know how to do double add all the administrators also to the users group.
Just to clarify I have removed "domain users" and left "authenticated users" and "interactive" any domain user can still log on. I'm not sure what the need to have "domain users" by default is. But I have to take both "authenticated users" and "interactive" out of the users group and then add "billing" to block everyone else and allow only billing. But then administrators can work.
Is there any other way?
Thanks in advance.
CCNA, A+, HP Certified Professional
When I first started working with Windows XP in a domain environment and I only wanted the billing department to be able to log into there computers. I would remove the default "authenticated users", "interactive", and "Domain users" out of the users group. I would then put the group I wanted to allow onto that system "Billing" group and leave the administrative group with local "administrator" and "domain admins".
Have done this for years and have had 0 problems! Very secure and works all the time.
Then along comes Windows 7 and UAC and let's just say the first Win7 system I got I did exactly the same as my WinXP friends and all worked perfectly for my users but the administrators could not do anything! I quickly realized that because I took "athenticated users" and "interactive" out of the users list when I log in as an administrator I can no longer run programs because I can't run as a normal user.
Now this has crated a big problem!
I know there are ways via Group Policy's to do what I'm looking for but I'm looking for a quick and simple fix on the desktop it's self to allow me to lock the system down so our billing offices only has access at a user level to log onto the computer. And the domain admins will have administrative and user access to the system.
The only way I know how to do double add all the administrators also to the users group.
Just to clarify I have removed "domain users" and left "authenticated users" and "interactive" any domain user can still log on. I'm not sure what the need to have "domain users" by default is. But I have to take both "authenticated users" and "interactive" out of the users group and then add "billing" to block everyone else and allow only billing. But then administrators can work.
Is there any other way?
Thanks in advance.
CCNA, A+, HP Certified Professional
