[The Power in Power Users] -
The Power in Power Users
Discuss The Power in Power Users
Posted by: office politics
[url=http://www.sysinternals.com/blog/2006/05/power-in-power-users.html]The Power in Power Users[/url]
posted by Mark Russinovich @ 11:01 AM
Placing Windows user accounts in the Power Users security group is a common approach IT organizations take to get users into a least-privilege environment while avoiding the many pains of truly running as a limited user. The Power Users group is able to install software, manage power and time-zone settings, and install ActiveX controls, actions that limited Users are denied.
What many administrators fail to realize, however, is that this power comes at the price of true limited-user security. Many articles, including this Microsoft Knowledge Base article and this blog post by Microsoft security specialist Jesper Johansen, point out that a user that belongs to the Power Users group can easily elevate themselves to fully-privileged administrators, but I was unable to find a detailed description of the elevation mechanisms they refer to. I therefore decided to investigate.