Restricting Power Users with a Group Policy

[gmc43302]

I have an application that requires the users to be members of the Power Users group. I need to prevent the users from being able to change the date and time on the computer. When I apply a group policy to restrict access to timedate.cpl it works until I add the user to the Power User group. Is there a way to restrict the rights of a Power User through Group Policy?

 

[porkchopexpress]

Not really as power users is a subset of the administrators group not a superset of the users group, they have enough rights to get around most GPO's with a bit of knowledge.

Why does the app require power user rights, NTFS permissions?

We have a couple of apps that "require" power user rights due to permissions issues but i get around this by using a GPO to relax permissions on necessary folders and registry keys.

 

[ITPangaeaArchitect]

porkchop has the right idea there...but, power users is not a subset of administrators in any way. their permissions come from default user rights assignments on the boxes for the most part (not including files, registry, etc. of course).

-Brandon Wilson
MCSE:Security00/03
MCSA:Messaging00
MCSA:Security03
A+

 

[porkchopexpress]

I'm only going on what an MS support staffer told me there, power users do have allot of rights though including the ability to modify computer-wide settings, install drivers and most software.

I just tend to avoid power users as when we used to use it users could still install so many apps and toolbars, not to mention spyware.

Power Users can perform any operating system task except tasks reserved for the Administrators group. The default permissions that are allotted to the Power Users group allow members of the Power Users group to modify computerwide settings."

http://technet2.microsoft.com/windo...e207-456c-9554-60f25f94a9151033.mspx?mfr=true

http://support.microsoft.com/kb/825069

 

[58sniper]

PowerUsers can self elevate to admins, too, with the right knowledge.

Pat Richard MVP

 

[porkchopexpress]

Yep that's what's in the second link

 

[gmc43302]

Thank you all for the information. The software vendor is unable to supply a list of files and registry keys where the user needs rights. So they have sent my request on to the development team.

 

[ITPangaeaArchitect]

a truely easy way to see power users is more like server operators. basically, all rights they have, are a culmination of user rights assignments, registry and file/folder perms, and i think that about covers it. all of these can be adjusted. im ex-PSS from MS myself (metoring)...what they sent you is actually only partially true, as A LOT of things are hard coded to use administrator, or to deny guests, etc.

as far as elevation of rights for installs...sure, anyone can elevate, including regular users, if they know how.....

GMC43302-

Your settings should be able to be taken care of by setting an OU level policy (on the computer accounts) at computer configuration/windows settings/security settings/user rights assignment
Setting: Change the System time
Value: Remove Power Users so that only Administrators is left

once you obtain the file and registry locations, you will be able to do this properly though and send out registry and file system GPOs at the OU level (with the computers) to loosen permissions and allow the authenticated users group (if app must use local group, then users group of course)

-Brandon Wilson
MCSE:Security00/03
MCSA:Messaging00
MCSA:Security03
A+