Why are you removing the admins? based on what you wrote the computer network will probably turn into a massive mess with all these programs installed and users as admins..<br><br><div class="gmail_quote">On Dec 2, 2007 8:22 PM, <
<a href="mailto:Valdis.Kletnieks@vt.edu">Valdis.Kletnieks@vt.edu</a>> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><div class="Ih2E3d">
On Sun, 02 Dec 2007 09:42:26 GMT, happy nino said:<br>> Hi All,i've a problem in my organization that we have several domain admins,<br>> we are in the process of removing most of them but i need to have a person
<br></div>> only authorized to installnew software to users' computers but without having<br><div class="Ih2E3d">> access to other parts of the users machines, is this possible ?<br><br></div>What exactly are you trying to accomplish, given that if they are allowed to
<br>install software, they are allowed to install software that will then at a<br>later point in time give them access to other parts of the machine? There's no<br>"don't allow the installation of trojaned software" flag. Also, if you're
<br>backing up the machines (you *do* back them up, right?), your admin can<br>probably just restore the files from backup into some other directory...<br><br>Have you looked at using something like EFS or BitLocker *and turn off key
<br>escrow* so the admin's keys don't work? Of course, this makes backups<br>"interesting", and if you have an Internal Audit group, they may have a cow<br>about non-escrowed keys if they have a clue.<br>
<br>It would probably be easier to answer this one if you were able to say<br>specifically what "other parts" you didn't want the admins to be getting at,<br>and why you can't just use "if you abuse your privs, you're fired and we're
<br>calling the local DA" to keep them in line (this works for most places,<br>if you pay your admins a fair wage, but of course some particularly high-value<br>targets invite high-risk attacks).<br><br>_______________________________________________
<br>Full-Disclosure - We believe in it.<br>Charter: <a href="http://lists.grok.org.uk/full-disclosure-charter.html" target="_blank">http://lists.grok.org.uk/full-disclosure-charter.html</a><br>Hosted and sponsored by Secunia -
<a href="http://secunia.com/" target="_blank">http://secunia.com/</a><br></blockquote></div><br><br clear="all"><br>-- <br><a href="http://search.goldwatches.com/?Search=Movado+Watches">http://search.goldwatches.com/?Search=Movado+Watches
</a> <br><a href="http://www.jewelerslounge.com">http://www.jewelerslounge.com</a><br><a href="http://www.goldwatches.com">http://www.goldwatches.com</a>