none
admin password to delete shortcut?

    Question

  • I am experimenting with Win 7 Professional in an active directory environment.

    I have given my active directory account admin rights to the machine. Yet, if I want to make certain changes to certain areas of the OS (say, set the UAC to one of the "not recommended" settings), it tells me I don't have admin credentials and I need to be logged in as an administrator. Why do I need to bother about setting the UAC to a low level protection? Because my power users cannot even delete a shortcut from their desktops without admin rights. I don't want to give my power users admin rights to the machine but neither do I want to restrict them as much as not having the ability to control the way their desktop looks.

    Anything that you can share that might eventually get me out of this loop will be much appreciated!
    Friday, October 30, 2009 6:04 PM

Answers

  • Hi,

     

    This should be security or permission related. Please also check the following:

     

    SID: S-1-5-domain-500

    Name: Administrator

    Description: A user account for the system administrator. By default, it is the only user account that is given full control over the system.

     

    SID: S-1-5-domain-512

    Name: Domain Admins

    Description: A global group whose members are authorized to administer the domain. By default, the Domain Admins group is a member of the Administrators group on all computers that have joined a domain, including the domain controllers. Domain Admins is the default owner of any object that is created by any member of the group.

     

    Well-known security identifiers in Windows operating systems

     

    Since the application is installed by administrator, the user may have no permission to remove it or delete the related files.

     

    If you installed the application with Domain administrator, you can also try to use the local administrator to remove it.

     


    Nicholas Li - MSFT
    Tuesday, November 10, 2009 2:56 AM
    Moderator

All replies

  •   There was a big debate about this during the beta testing. Security people complained that it was a security breach to allow a user to lower the UAC level without being prompted. They argued that it was pointless having UAC at all if it could be modified or disabled by a user without admin privilege. 

      The whole point of UAC is that even admin accounts do not have admin privilege enabled all the time. It is only granted on demand when required for a particular task.


     
    Bill
    Saturday, October 31, 2009 12:46 AM
  • Hi Bill Grant,
    one thing i think that could be changed in windows 7 in order to improve security is to restrict user mode installations which is how most viruses get installed on pcs,so isnt there really a way to make it prompt for usermode installations?
    any input is greatly appreciated!
    thanks in advance,
    RR
    Saturday, October 31, 2009 1:19 AM
  • Hi, Bill,

    I am on the same side about the UAC. I actually do want it to be set to the highest setting because many of my users click on things before thinking. Still, they should be able to configure their desktops the way they want them to look. If they don't want any shortcuts on the desktop, that's fine with me. If they want all their programs to have shortcuts on the desktop, that's also fine. But the current situation is this: no matter if a machine is on an AD or off, if an admin installs a program and leaves a shortcut to this program on the desktop, this shortcut populates to all users and *a power user cannot delete the shortcut*. Is there a way around this?
    Saturday, October 31, 2009 2:02 AM
  • Hi,

     

    This should be security or permission related. Please also check the following:

     

    SID: S-1-5-domain-500

    Name: Administrator

    Description: A user account for the system administrator. By default, it is the only user account that is given full control over the system.

     

    SID: S-1-5-domain-512

    Name: Domain Admins

    Description: A global group whose members are authorized to administer the domain. By default, the Domain Admins group is a member of the Administrators group on all computers that have joined a domain, including the domain controllers. Domain Admins is the default owner of any object that is created by any member of the group.

     

    Well-known security identifiers in Windows operating systems

     

    Since the application is installed by administrator, the user may have no permission to remove it or delete the related files.

     

    If you installed the application with Domain administrator, you can also try to use the local administrator to remove it.

     


    Nicholas Li - MSFT
    Tuesday, November 10, 2009 2:56 AM
    Moderator