RE: Deny Logon by Domain Admin account to specific PC's or deny to all BUT specific PC's
From: Hindle, Dallas (Dallas.Hindle_at_bakersdelight.com.au)
Date: 11/11/05
- Previous message: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]: "Re: What server hardening are you doing these days?"
- Maybe in reply to: Hindle, Dallas: "Deny Logon by Domain Admin account to specific PC's or deny to all BUT specific PC's"
- Next in thread: Jitendra Kalyankar: "Re: Deny Logon by Domain Admin account to specific PC's or deny to all BUT specific PC's"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 11 Nov 2005 13:52:06 +1100 To: <focus-ms@securityfocus.com>
Thanks Laura
Yes, all of our Servers are in a server OU which is then split into
various OU's for specifics (Application, SQL, Citrix, DC, etc, etc) so a
GPO will flow down to all the sub OU's except for the one that we have
intentionally blocked all Policies from.
Also, to clarify, the Account is the Default Domain admin account which
was renamed in the early years, so I can't just change the "Log On
To..." option in the Account tab of the account.
However, I'm thinking I might also be able to rename the account to
something else, then create a new domain admin account with the same
name and restrict it, there shouldn't be any problems restricting a
normal account in the domain admin group to certain Servers /
workstation.
Sorry, forgot reply to all :( )
Thanks
Dallas
-----Original Message-----
From: Laura A. Robinson [mailto:larobins@bellatlantic.net]
Sent: Friday, 11 November 2005 1:31 PM
To: Hindle, Dallas; focus-ms@securityfocus.com
Subject: RE: Deny Logon by Domain Admin account to specific PC's or deny
to all BUT specific PC's
Well, you can do this with Group Policy, but it's really going to depend
on
your OU structures. Assuming all of the machines/software using this
account
are servers, do you have your servers in a single OU structure? If this
is
the case, I can give you more information, but it's gonna be a lot of
typing
if this isn't the case, so I'll wait for your reply. :-)
Laura
> -----Original Message-----
> From: Hindle, Dallas [mailto:Dallas.Hindle@bakersdelight.com.au]
> Sent: Thursday, November 10, 2005 8:16 PM
> To: focus-ms@securityfocus.com
> Subject: Deny Logon by Domain Admin account to specific PC's
> or deny to all BUT specific PC's
>
>
>
> Hi all
>
>
>
> I assumed this was easy but I must be missing something...
>
>
>
> I have a domain admin Account that is used for Services, SQL
> Processes, Scheduled Tasks and for automated logons for some
> proprietary software... This account has had the password
> leak out to a 3rd party whom has decided to share it with
> other people in the company.
>
>
>
> As I'm sure you agree I need to get his account locked down
> ASAP, I want to prevent logon to this account from any pc's
> other than the ones I authorise, and I though this was a
> simple process, I don't know what I'm missing but if anyone
> has any suggestions it would be much appreciated.
>
>
>
>
>
>
>
> Thanks
>
>
>
> Dallas
>
>
>
>
>
>
>
>
> --
> Message protected by MailGuard: e-mail anti-virus, anti-spam
> and content filtering.
> http://www.mailguard.com.au/mg
>
>
>
> --------------------------------------------------------------
> -------------
> --------------------------------------------------------------
> -------------
>
---------------------------------------------------------------------------
---------------------------------------------------------------------------
- Previous message: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]: "Re: What server hardening are you doing these days?"
- Maybe in reply to: Hindle, Dallas: "Deny Logon by Domain Admin account to specific PC's or deny to all BUT specific PC's"
- Next in thread: Jitendra Kalyankar: "Re: Deny Logon by Domain Admin account to specific PC's or deny to all BUT specific PC's"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
