Re: Computer Management Security Problem

From: Jeff Cochran (jeff.nospam_at_zina.com)
Date: 07/28/04

• Next message: khardiss: "Group Access..."
• Previous message: Asif Attari: "Kerberos"
• In reply to: Dave W.: "Re: Computer Management Security Problem"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 28 Jul 2004 14:01:50 GMT

Yeah, what Paul said. :)

Jeff

On Tue, 27 Jul 2004 15:27:02 -0700, "Dave W."
<DaveW@discussions.microsoft.com> wrote:

>It seems that the problem may be related to administrators having "SeTakeOwnershipPrivilege" by default. If I remove that privilege (which the DC loaded with "Administrators" in the default domain policy and change it to "Domain Admins" instead, the users are no longer able to make any changes or to view the shares via computer management.
>
>This may be a solution but since the users have administrator privileges, they can likely re-enable this on their own machine, thus I really need to set the protection on the DC itself to prevent users from accessing these objects.
>
>All users are part of the "Domain Users" group which belongs to the "Adminstrators" group in the GP loaded into each users PC. This gives them the required privileges on their own PC but does not give them domain administrator privileges.
>
>Thanks for your continuing help.
>
>"Jeff Cochran" wrote:
>
>> On Tue, 27 Jul 2004 09:20:40 -0700, "Dave W." <Dave
>> W.@discussions.microsoft.com> wrote:
>>
>> >We use a Windows 2003 DC and have found that all of our users can choose the "Manage" on "My Computer" and then choose the domain controller PC as the PC to manage. They can then add shares, shut down services, etc. which defeats all the security.
>> >
>> >How can I prevent users from specifying another computer name in the computer management console snap-in and/or how do I restrict a computer from allowing on specific users to connect.
>> >
>> >Note that all of our users are administrators which I know is bad, but they are software developers and need to constantly re-install, update registries, etc.
>>
>> Administrators? As in "Domain Administrators"? Maybe Local
>> Administrators, but not Domain Administrators.
>>
>> Jeff
>>

• Next message: khardiss: "Group Access..."
• Previous message: Asif Attari: "Kerberos"
• In reply to: Dave W.: "Re: Computer Management Security Problem"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Why Do You Need 5 Megapixels? ... Jeff G wrote: ... Paul (And I'm, like, "yeah, whatever!") ... Prev by Date: ... (rec.photo.digital) Re: The Pope does not back intelligent design ... 27 But God hath chosen the foolish things of the world to confound the wise; ... I was replying to Jeff, and to the point Jeff was making ... I agree that Paul seems to have ... If that's conspiracy then ... (uk.religion.christian) Re: PNG data generated by TkImg1.3 ... Jeff, I was also able to imagine that IE and MS-Office suite, Fax ... Paul, these are the very gamma values I have just seen when I examined ... Because customers' wish is to ... (comp.lang.tcl) Re: Ellen Wheels and the Damage Done ... Jeff Kdvute wrote: ... > If Paul had a new hit, he would be accused of being too commercial. ... Poor Paulie! ... (rec.music.beatles) Re: John Mayalls guitar player ... Peter Green, Mick Taylor, Coco Montoya, Walter Trout, Paul ... Jimmy McCulloch, Harvey Mandel, Bernie Watson, Roger Dean, Jeff Kribett, ... Miranov, Jeff Layton, James Quill Smith, Nick Messina, Sid McGinnis, ... Steve Hughes, Mile Cooley, John Tropea, Steve Lukather. ... (rec.music.makers.guitar)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint