Policies for special user accounts

Matthias Wächter matthias at waechter.wol.at
Wed May 26 18:49:42 GMT 1999 

On Thu, 27 May 1999, Norman R. Weathers wrote:

> Our biggest problem that we have is that since this is a teaching lab,
> we have a policy that is pretty restrictive that gets downloaded from
> the Samba server.  Of course, when something goes wrong on the
> computer.... Well, see what I mean.  Supposedly, if I was reading the
> Micro$oft jibberish right, there is a way in the policy to override
> the defaults that you set for certain individuals.  We have tried
> this, but we are still not getting the overrides that we want (ie,
> another technology coordinator and myself would like to setup the
> policy that if we log in, we have full control of the Control Panel
> and Start/Run menu's).  Anyone ever faced this one before?

Problem is that you can't make sure that a standalone Win95 computer is
not administered by someone not allowed to. Everyone can run some .REG
files on regedit to gain access to areas he was locked out a few seconds
before through the policy. If not this, he can write his own .EXE or (in
Win98) write his own Scripting Host files/programs containing code
modifying the registry to grant access to other parts of the computer
setup. NEVER rely on policies on '95 or '98 !!!! I know what I speak of.

The only way we could keep our '95 computers from being administered by
"clever" guys was to remote boot them (additionally with some tricky
startup scripts the user cannot break to gain a command prompt). Another
way would be NT, but '95 is good enough for the next 2 or 3 years, so we
can wait for '2000 or whatever comes then. Actually, '98 can't be (that
easy) setup to remote boot like '95 (and '95a) diskless.

So, to answer your question: You could write some .REG file (i.e. do it
like a "clever" guy), execute it when/after you login, and you have access
to some disabled parts of the Control Panel etc. You just have to make
sure none of your studentsget access to the information how to write such
a .REG file... and believe me, they are always cleverer than the admin
thinks they are.

Sehr Wus,
- Matthias

-- 
Bunt ist das Dasein und granatenstark. Und: Volle Kanne, Hoschis!
                         aus: "Bill und Teds verrückte Reise durch die Zeit"
-----------------------------------------------------------------------------

More information about the samba-ntdom mailing list