[funsec] Administrator Accounts

Matthew Murphy mattmurphy at kc.rr.com
Wed Feb 22 13:45:38 CST 2006

Hash: RIPEMD160

Larry Seltzer wrote:
> I would assume that all, or nearly all enterprise Windows users are logging
> into a domain. This means that their rights are controlled through domain
> administration, and making the average user an administrator would be an
> insane thing to do. 
> It also appears to me that UAC is a matter for local accounts, not domain
> accounts. So Vista, being a client OS, really can't address the problem.

Many users do log in over a domain.  However, these "Domain Users" are
also members of the "Local Administrators" group.  Vista removes this
power from applications that don't really need it.

Take, for example, the take-home notebooks of a certain Fortune 100.
Users of said notebooks currently log in as domain users using cached
credentials to authenticate.  These users are also members of local
administrators group, meaning that they wield incredible destructive
power over their own take-home PCs but not much on the domain.

- --
"Social Darwinism: Try to make something idiot-proof,
nature will provide you with a better idiot."

                                -- Michael Holstein

Version: GnuPG v1.4.2 (MingW32)
Comment: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xB5444D38

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3436 bytes
Desc: S/MIME Cryptographic Signature
Url : http://linuxbox.org/pipermail/funsec/attachments/20060222/855cca1e/smime-0001.bin

More information about the funsec mailing list