Technical explanation
Has Your colleagues got total power of Your hard disc in Windows 2000/XP
W2kLocalGroupPolicy / W2kTotalPowerWhere

Technical explanation:

More and more programs are upgrading themselves while Your users are logged in, but even if You don’t have such programs, maybe You decided, that Your users must be able to install programs on their Windows 2000/XP client-computer running on Your network.

Installing programs on a Windows 95/98 client computer is no problem. Any of Your users can do that, because there are no restrictions in the operating system.

Installing programs on a Windows 2000/XP client computer is another matter. Because there are many different restrictions in the operation system, because of the Local Groups on the hard disk.

The important group is the LocalAdministratorsGroup. Members of this group can install programs, because the operating system grants this group rights to save files in the C:\WINNT\SYSTEM32-folder and to change the important parts of the registry.

By default only the LocalAdministrator user is granted membership of the LocalAdministratorsGroup.

So installing Windows 2000/XP on a computer, You have to decide who can be members of the LocalAdministratorsGroup. There are different possibilities, ranging from adding GlobalDomainGroups to the LocalAdministratorsGroup or to release the LocalAdministrators password, when Your users must install programs.

Any of these solutions makes the security hole work!

If You have many client computers it is a hard work for You if You want to stop the security hole.

The only way until now, is to remove everybody but the LocalAdministrator and GlobalDomainAdminsGroup, and only add the one and only DomainUser who uses the client computer.

Do You have computer used by more than one user? Do You have users using other than their own computer?

If You have given this problem deep reflection, maybe You have prepared some GlobalDomainGroups with the same names ready on every computer, being member of the LocalAdministratorsGroup.

And then if it’s necessary, You can temporarily add the DomainUser to this GlobalDomainGroup, and the user can install programs until You removes the DomainUser again after maybe 2 days?

This solution also makes the security hole work!

While the user (for 2 days) is a member of this GlobalDomainGroup, the DomainUser at once gains total admin power on every computer on Your network, simply by typing \\ComputerName\C$ in Explorer. Certainly when You removes the DomainUser from one of these GlobalDomainGroups again, the DomainUser will not have total admin power on the other computers anymore.

BUT while the DomainUser is a member of the Local Admin Group, he/she can make a new local user on every computer on the network, and grant this local user membership of the Local Admin Group on every computer.

And the DomainUser can do it from his/hers own computer without anyone seeing anything about it.

So - if You have such a DomainUser, he/she will retain the total admin power every computer on Your network, even after You have removed the DomainUser from one of the above mentioned GlobalDomainGroups

Another problem is releasing the password for the LocalAdministrator. You have probably set the same password for the LocalAdministrator to the same on all Your computers. Otherwise You can’t support/rescue these computers, if You don’t know the password.

But releasing the password to an DomainUser, when Your user must install programs, or having a DomainUser guessing/hacking the password, he/she will gain TOTAL control over all of the other Windows 2000/XP-client computers, from his/hers own client computer, even if no other that the LocalAdministrator is a member of the LocalAdministratorsGroup!

Because of this security-hole, all Your LocalAdministrators passwords should be different. This shouldn't give You any problems, if You remember to add the GlobalDomainAdminsGroup as a member of the LocalAdmininistratorsGroup on each client computer.

So there is a lot of work running from computer to computer if You want to stop this security hole.

If You want to do all this from Your own Windows 2000/XP client computer, You should consider trying W2kLocalGroupPolicy free on 9 client computers for 90 days.