Re: disable net create command
From: Steven L Umbach (sumbach55_at_ameritech.net)
Date: 11/11/03
- Next message: FurBot: "possible to make a user an admin on their own machine but not effect network?"
- Previous message: Frme: "A question about CryptSetProvParam"
- In reply to: snnto: "Re: disable net create command"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 11 Nov 2003 15:05:14 GMT
OK. Then that user must be in the power users local group on that computer.
If you do not need them to be power users, then remove them from the power
users group. However I understand certain applications may not run as a
regular user so that may not be possible.
You can disable any executable such as "net" by giving the user/group deny
ntfs permissions to the file - where ever they may be on the computer.
Unfortunately for a file like net, it is not hard for a user to copy another
instabce of it to their computer. You can use Group Policy to some degree to
prevent progrm execution keeping in mind that a user may simply be able to
rename the file. Go to user configuration/administrative templates/system to
see options to add disallowed programs and you may want to disable the
command prompt and registry editing tools while there. Disabling the command
prompt will not allow any authorized startup/logon scripts to run either.
Another thing to try is to change the user rights assignment for log on
locally. I would test this on one computer first. Add the "domaim users"
global group and remove all other groups. That should prevent a user from
logging on with a local account to try to bypass Group Policy. Good
uck. --- Steve
http://support.microsoft.com/default.aspx?scid=kb;en-us;323525
"snnto" <sjquat@yahoo.com> wrote in message
news:0ebc01c3a858$57e994a0$a301280a@phx.gbl...
> batch file created is:
> net user <user> <password> /add
> this creates a local acct. which doesn not get the
> restictions from group policy. my mistake it's not admin
> acct just unrrestricted through group policy.
> thanks, santo (learning in the fly)
> >-----Original Message-----
> >What was the batch file? You can not "create" an
> administrator account via the
> >operating system without already having administrator
> rights. Now if he can boot from
> >a cdrom/floppy or other device he may have used a
> password reset program or renamed
> >the sam account. --- Steve
> >
> >
> >"santo" <anonymous@discussions.microsoft.com> wrote in
> message
> >news:041601c3a7f0$eca4aa70$a501280a@phx.gbl...
> >> a user created a local admin account by writing a net
> >> create batch file in wordpad and ran it creating a local
> >> admin account. he logged on this account and then was
> able
> >> to use net send. i disabled run and other functions from
> >> the students but this was a creative way around. any
> >> suggestions to prevent users from using the net create
> or
> >> creating batch files or any other suggestion. i'm using
> >> server 2000 and i'm ok with active dir and group policy.
> >> clients are using windows 2000. thanks, santo
> >
> >
> >.
> >
- Next message: FurBot: "possible to make a user an admin on their own machine but not effect network?"
- Previous message: Frme: "A question about CryptSetProvParam"
- In reply to: snnto: "Re: disable net create command"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
