Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations TouchToneTommy on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Admin Rights for installing a Printer 1
- Thread starter Torotech
- Start date
- Thread starter
- #3
-
1
- #4
Disallow installation of printers using kernel-mode drivers.
Requirements:
At least Microsoft Windows XP Professional or Windows Server 2003 family
Location: Computer Configuration\Printers\
Computer admin question
thread779-973627
From the NTrights tool
Load and unload device drivers
(SeLoadDriverPrivilege)
Allows a user to install and remove drivers for Plug and Play devices. This privilege is not required if a signed driver for the new hardware already exists in the Driver.cab file on the computer.
Default setting: Administrators.
Do not assign this privilege to any user or group other than Administrators. Device drivers run as trusted (highly privileged) code. A user who has "Load and unload device drivers" privilege could unintentionally install malicious code masquerading as a device driver. It is assumed that administrators will exercise greater care and install only drivers with verified digital signatures.
Note: You must have this privilege and also be a member of either Administrators or Power Users in order to install a new driver for a local printer or manage a local printer by setting defaults for options such as duplex printing. The requirement to have both the privilege and membership in Administrators or Power Users is new to Windows XP Professional.
Read about Manage Printers.
Requirements:
At least Microsoft Windows XP Professional or Windows Server 2003 family
Location: Computer Configuration\Printers\
Computer admin question
thread779-973627
From the NTrights tool
Load and unload device drivers
(SeLoadDriverPrivilege)
Allows a user to install and remove drivers for Plug and Play devices. This privilege is not required if a signed driver for the new hardware already exists in the Driver.cab file on the computer.
Default setting: Administrators.
Do not assign this privilege to any user or group other than Administrators. Device drivers run as trusted (highly privileged) code. A user who has "Load and unload device drivers" privilege could unintentionally install malicious code masquerading as a device driver. It is assumed that administrators will exercise greater care and install only drivers with verified digital signatures.
Note: You must have this privilege and also be a member of either Administrators or Power Users in order to install a new driver for a local printer or manage a local printer by setting defaults for options such as duplex printing. The requirement to have both the privilege and membership in Administrators or Power Users is new to Windows XP Professional.
Read about Manage Printers.
- Thread starter
- #5
MODIFYING USER RIGHTS FOR MEMBER SERVERS AND WORKSTATIONS
Still sticking to the basics, the following are two strategies for modifying user rights for member servers and workstations:
Modify the Default Domain Policy GPO. This affects all workstations and member servers in the domain.
Modify local security settings. This affects only one computer.
To modify the Default Domain Policy GPO, you have the following two basic choices:
Edit the Default Domain Policy. Right-click the domain object, select Properties, select the Group Policy tab, select Default Domain Policy, and click Edit. This opens the Group Policy Editor. In the left pane, navigate to Computer Configuration, Windows Settings, Security Settings, Local Policies, User Rights Assignment.
Edit the Domain Security Policy. Click the Start button and select Programs, Administrative Tools, Domain Security Policy. This opens a “subset” of the Group Policy Editor. In the left pane, navigate to Security Settings, Local Policies, User Rights Assignment.
To modify local security settings, again you have two basic choices:
Edit the Local Security Policy. Click the Start button and select Programs, Administrative Tools, Local Security Policy. This opens a “subset” of the Group Policy Editor. In the left pane, navigate to Security Settings, Local Policies, User Rights Assignment.
Use the Resource Kit command NTRights. For example, if you want to assign the right to change system time to all users, you use the following command:
ntrights +r SeSystemTimePrivilege -u Users -m \\PC17
If you don’t include the machine’s name, the command will apply to the local computer.
Ntrights is a command-line tool that enables you to assign or revoke a right for a user or group of users on a local or remote computer. You can also place an entry that notes the change in the event log of the computer.
NTRIGHTS.exe (Resource Kit, 2000/2003)
Still sticking to the basics, the following are two strategies for modifying user rights for member servers and workstations:
Modify the Default Domain Policy GPO. This affects all workstations and member servers in the domain.
Modify local security settings. This affects only one computer.
To modify the Default Domain Policy GPO, you have the following two basic choices:
Edit the Default Domain Policy. Right-click the domain object, select Properties, select the Group Policy tab, select Default Domain Policy, and click Edit. This opens the Group Policy Editor. In the left pane, navigate to Computer Configuration, Windows Settings, Security Settings, Local Policies, User Rights Assignment.
Edit the Domain Security Policy. Click the Start button and select Programs, Administrative Tools, Domain Security Policy. This opens a “subset” of the Group Policy Editor. In the left pane, navigate to Security Settings, Local Policies, User Rights Assignment.
To modify local security settings, again you have two basic choices:
Edit the Local Security Policy. Click the Start button and select Programs, Administrative Tools, Local Security Policy. This opens a “subset” of the Group Policy Editor. In the left pane, navigate to Security Settings, Local Policies, User Rights Assignment.
Use the Resource Kit command NTRights. For example, if you want to assign the right to change system time to all users, you use the following command:
ntrights +r SeSystemTimePrivilege -u Users -m \\PC17
If you don’t include the machine’s name, the command will apply to the local computer.
Ntrights is a command-line tool that enables you to assign or revoke a right for a user or group of users on a local or remote computer. You can also place an entry that notes the change in the event log of the computer.
NTRIGHTS.exe (Resource Kit, 2000/2003)
- Status
Similar threads
- Locked
- Question
- Locked
- Question