Local Power Users Group

9 Nov 2007 9:26 PM

GW

Currently a user who is in the local Power Users group can open My Network
Places and see all computers and servers listed. When they try to open a
member server or a computer, they are prompted for a network administrators
password. But, they are able to open a domain controller and have Write
access to the domain controller. Is there a way to restrict/disable a Power
User from accessing Domain Controllers on the network? Or better yet,
hide/disable My Network Places for Power Users Group?
Thanks,
GW

10 Nov 2007 7:13 AM

Roger Abell [MVP]

Hiding My Network Places or otherwise crippling the ability
to browse the MS client/server network does not really make
anything unavailable, except browsing the list of what is there.

The issue you have is not that the account is a Power User on
some machine. The issue is what grants exist to the account
of the domain that they are using, or to groups of which it is a
member, and this is so whether we consider the grants on the
domain controllers or on other servers that they access.

Roger

Show quoteHide quote

"GW" <G*@discussions.microsoft.com> wrote in message
news:F2A52A37-8202-45EA-8951-522FD0972AFF@microsoft.com...
> Currently a user who is in the local Power Users group can open My Network
> Places and see all computers and servers listed. When they try to open a
> member server or a computer, they are prompted for a network
> administrators
> password. But, they are able to open a domain controller and have Write
> access to the domain controller. Is there a way to restrict/disable a
> Power
> User from accessing Domain Controllers on the network? Or better yet,
> hide/disable My Network Places for Power Users Group?
> Thanks,
> GW

12 Nov 2007 3:13 PM

GW

Its Ok that it doesn't really make it unavailable. I want to keep a user
from browsing the lists of what is there. Or, if they can browse the list,
make them unable to open the domain controllers and see and access what's on
the drivers. Is the OS capable of doing this and if so, can you give me the
steps to follow to make the changes?
Thanks,
GW

Show quoteHide quote

"Roger Abell [MVP]" wrote:

> Hiding My Network Places or otherwise crippling the ability
> to browse the MS client/server network does not really make
> anything unavailable, except browsing the list of what is there.
>
> The issue you have is not that the account is a Power User on
> some machine. The issue is what grants exist to the account
> of the domain that they are using, or to groups of which it is a
> member, and this is so whether we consider the grants on the
> domain controllers or on other servers that they access.
>
> Roger
>
> "GW" <G*@discussions.microsoft.com> wrote in message
> news:F2A52A37-8202-45EA-8951-522FD0972AFF@microsoft.com...
> > Currently a user who is in the local Power Users group can open My Network
> > Places and see all computers and servers listed. When they try to open a
> > member server or a computer, they are prompted for a network
> > administrators
> > password. But, they are able to open a domain controller and have Write
> > access to the domain controller. Is there a way to restrict/disable a
> > Power
> > User from accessing Domain Controllers on the network? Or better yet,
> > hide/disable My Network Places for Power Users Group?
> > Thanks,
> > GW
>
>
>

15 Nov 2007 6:24 AM

Roger Abell [MVP]

You cannot prevent them from browsing the list of machines
except by not running the Computer Browser and Workstation
services on the machines that they use.

To prevent them from looking into shares on machines you
need to make sure that they have no grants on those shares.

That means making sure that the account they use, or groups
in which it is a member, have no grants on those shares.
If you have granted that account (or its groups) access, then
you cannot expect the account to have no access. If the account
(or its groups) has no grants, then it will have no access.

The grants can be controlled at either the share level (the
permissions tab on the Sharing dialog) or the NTFS level
(the Security dialog) in the properties of the shared.

Roger

Show quoteHide quote

"GW" <G*@discussions.microsoft.com> wrote in message
news:9A0CD4D8-3B66-47E1-9717-BC6337855B59@microsoft.com...
> Its Ok that it doesn't really make it unavailable. I want to keep a user
> from browsing the lists of what is there. Or, if they can browse the
> list,
> make them unable to open the domain controllers and see and access what's
> on
> the drivers. Is the OS capable of doing this and if so, can you give me
> the
> steps to follow to make the changes?
> Thanks,
> GW
>
> "Roger Abell [MVP]" wrote:
>
>> Hiding My Network Places or otherwise crippling the ability
>> to browse the MS client/server network does not really make
>> anything unavailable, except browsing the list of what is there.
>>
>> The issue you have is not that the account is a Power User on
>> some machine. The issue is what grants exist to the account
>> of the domain that they are using, or to groups of which it is a
>> member, and this is so whether we consider the grants on the
>> domain controllers or on other servers that they access.
>>
>> Roger
>>
>> "GW" <G*@discussions.microsoft.com> wrote in message
>> news:F2A52A37-8202-45EA-8951-522FD0972AFF@microsoft.com...
>> > Currently a user who is in the local Power Users group can open My
>> > Network
>> > Places and see all computers and servers listed. When they try to open
>> > a
>> > member server or a computer, they are prompted for a network
>> > administrators
>> > password. But, they are able to open a domain controller and have
>> > Write
>> > access to the domain controller. Is there a way to restrict/disable a
>> > Power
>> > User from accessing Domain Controllers on the network? Or better yet,
>> > hide/disable My Network Places for Power Users Group?
>> > Thanks,
>> > GW
>>
>>
>>