RE: Active Directory
- From: "Wayne Anderson" <wfrazee@xxxxxxxxxx>
- Date: Mon, 3 Sep 2007 09:55:19 -0600
It sounds to me like you may have issues with rights delegation. Ideally
you should not be using the administrators group to assign permissions to
perform specific tasks. Instead, you should use domain based groups that
have been assigned specific AD rights or specific localized privileges. For
example, if you have someone involved in your web applications that should
have admin on the 10 servers for web apps but not for any other server in
the organization, you construct a group called "IT - WebApp Admins" which is
by default assigned no rights at the AD level. You login to the 10 servers
or whatever that make up the administrative scope for this privilege and
assign this new group administrator rights locally.
This can be more time consuming to implement but is a far more granular
implementation of rights in the long term.
Now as far as specifically locking out an administrator irregardless of
admin rights that may already be assigned is through one of two methods.
Either the local security policy (pre-vista) or the assignment of security
policy through a GPO (nearly any windows OS in a domain environment). You
need to deny logon locally and/or deny logon through the network. The only
other thing you need to consider here is that your RDP rights assignment for
a given machine may include blanket permissions for administrators group.
You will want to look at that.
As far as disabling a computer is concerned, are you looking to physically
disable it so it will not turn on or simply remove it from network use? At
the present time, I am guessing the latter but in either case there is no
way to authoritatively do either without moving beyond MS/Windows
environment and work on the network switch. In a Server 2008 environment
with appropriate hardware, the answer for the latter is excersizing Network
Access Protection (NAP) which one would hope was already in your network
infrastructure.
NAP: http://technet.microsoft.com/en-us/network/bb545879.aspx
Wayne S. Anderson
http://www.linkedin.com/in/wayneanderson
-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx] On
Behalf Of wjbox1-guard@xxxxxxxxx
Sent: Thursday, August 30, 2007 12:19 AM
To: focus-ms@xxxxxxxxxxxxxxxxx
Subject: Active Directory
What is the easiest way to lock an lower level administrator from using the
PC via Active Directory?
When disabling a computer what else can be done with out having to block the
IP address or MAC to make sure the PC does not get on the network and or
changed the computer name?
- Prev by Date: Re: NTFS default special permissions
- Next by Date: Re: NTFS default special permissions
- Previous by thread: Re: NTFS default special permissions
- Next by thread: SecurityFocus Microsoft Newsletter #358
- Index(es):
Relevant Pages
|
