Re: Denying Access to Client Machine in AD
From: Roger Abell [MVP] (mvpNOSPAM@asu.edu)
Date: 12/20/02
- Next message: Roger Abell [MVP]: "Re: server alerts"
- Previous message: Brad: "Annoying password noodge"
- In reply to: Mike: "Denying Access to Client Machine in AD"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Roger Abell [MVP]" <mvpNOSPAM@asu.edu> Date: Fri, 20 Dec 2002 07:10:28 -0700
"Mike" <soniic@hotmail.com> wrote in message
news:72fd02c8.0212192041.52d85bad@posting.google.com...
> Hello,
>
> I understand that Domain Administrators have full blown access to
> client machines that are members of an AD Domain (from Active
> Directory Users & Computers ---> Computers ---> RightClick on a
> computer and choose mamange).
>
> This brings up the Computer Management MMC snap-in from which the
> Domain Admin can start/stop services, create/delete shares and local
> users, etc. Domain admins also have full blown access to local drives
> on client machines by going to \\ClientMachine\c$, etc.
>
> I was wondering if there is any way for a client machine to DENY
> Domain Administrators (or anybody for that matter) access to the
> machines?
>
> I'm asking because when I travel to client sites and join their domain
> (with a temp login & password) I dont want any admins on their network
> to be able to get access to any files on my machine.
>
> I dont want to have to install any firewall software on my laptop (its
> slow enough alredy!)... isnt there a service I can stop that will
> blcok admins from remotely connecting to my machine to manage it in
> any way?
>
> Thanks in advance!
> -Mike
There is no permanent, non-circumventable way to
prevent domain admins from accessing resources on
a domain member. Removing Domain Admins from
the local Admins can make it difficult, as can explicitly
denying the rights to log on over the network and
locally. However, they can still push down changes
that will re-enable their access. It is a matter of how
convenient it is for them, and how intentional they
need to be.
However, there is a bigger issue with joining your
machine to the customer's domain. Once joined
your machine will be subject to the GPOs appropriate
to their domain and OU structure. You may very
well not like the result of this. I have seen people
loose all administrative access to their machine due
to use of Restricted Groups in the GPOs. Further,
Domain Users becomes a member of Users. If you
have not hardened your system with this in mind then
you are open to more than the admin access about
which you have expressed your concerns. If you
can figure how to do what you need with your
machine as a standalone they this is how you should
do your work.
-- Roger Abell MS MVP (Windows Security), MCDBA, MCSE both Associate Expert - Windows XP ExpertZone http://www.microsoft.com/windowsxp/expertzone
- Next message: Roger Abell [MVP]: "Re: server alerts"
- Previous message: Brad: "Annoying password noodge"
- In reply to: Mike: "Denying Access to Client Machine in AD"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
