Re: Locking down Mac OSX clients

> /You/ said that they were trustworthy. /You/ made them administrator.
> Administrators can do anything. That's what the word means for OS X.
> It's impossible to solve your problem if you insist on giving these
> people admin rights.
>
> Why are you giving them admin rights if you want to restrict their
> access to the computer ?
>
> Simon.
> --

I believe I explained this in an earlier post. The sole reason this
Mac network exsists is because this is a team who provide expert
technical support for a group of product. They require being
administrators because they product that they support must be installed
as an admin. Period. I do not have any option in this.

HOWEVER, having said that. We leave a lab in an open area for the
entire team to use. However sooner or later the person that sits
closest to it will start to think of it as 'their' machine -- and
change backgrounds, screensavers, account passwords, etc -- and
eventually render the machine unusuable for the others (or at least
less usuable)

Not to mention there are certain things (i.e. network prefs) that I
simply don't want people messing with. Their product doesn't require
access to the network panel and of course changing network settings can
leave to only not-good things happening.

Despite your opinion that this permissions model is stupid and will
never exist in the real world, Apple must have agreed with it as they
made the chance for Tiger. All kidding aside -- can you honestly tell
me that you can never insision a situation where users need to be local
administrators but as a network administrator you need to enforce a
computer policy down on users?

Now for the good news:

I gave up on the open directory method -- it has great promise but I
haven't been able to find anything that would indicate I can fix this
"feature" on Jag and Panther. However, I did find out that I can drag
items out of the /system/library/preferencepanes folder and put them
into a folder owned by root -- and this works like a charm. I set the
preferences as the user then remove the preference panes. If I ever
need them again I know where to find 'em.

.

Relevant Pages

  • Re: Permissions (EVERYONE POST TO THIS)
    ... >Removing Admin rights from your users is the prudent thing to do. ... Or network admins that don't ... Hackers are usually the least of my security worries. ... my boss and all our superiors are aware of the risks ...
    (microsoft.public.win2000.security)
  • Re: Pen Testing
    ... Is it common that a security company would need rights such as domain ... admin rights to perform an audit on the network? ... Depends on what you want them to audit. ... network plug and maybe an IP address they can use - plus the ...
    (Pen-Test)
  • Re: co-worker spy annoyance
    ... >>assume that disabling that service did not have the desired effect. ... ensure she doesn't have admin rights on your computer. ... > admin rights she can install and run just about anything. ... complain to your network guys ...
    (comp.security.misc)
  • Re: Limited User profile editing
    ... Im using WG111T adapter software - its something that needs ADMIN rights to ... be able to retrieve the Network. ... Limited users to be able to access this software because it does not allow it ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Global Security Group on XP Machine
    ... group to be an admin, not anybody who logs on locally. ... you could place INTERACTIVE as a member of Administrators ... All of the 500 users have, and require, admin rights on the PC that they ... the ability to browse around the c$ hidden share of any PC on the network. ...
    (microsoft.public.security)