Re: Computer Management Security Question

From: Dave W. (DaveW_at_discussions.microsoft.com)
Date: 07/27/04

  • Next message: Rick A. Butler: "Re: Authenticated users question" 
    Date: Tue, 27 Jul 2004 14:15:02 -0700

    Hello Danny,

    No, they are not domain administrators, they only administrators on their own machines (although they do log in via the DC for authentication). The way I did this was I have a group policy that all staff belong to and in this policy, the "Restricted Groups" section has Administrators with members being Domain Admins and Domain Users. Thus, on their local PCs, when they receive the GP, their "administrators" group contains the "domain\domain admins" and "domain\domain users" as members.

    Further, each user account is restricted to permit them to log in ONLY to their own machine. Note that in monitoring the event log, it seems that they are gaining access because they have the "Se TakeOwnership Privilege". Is this something that I can turn off?

    "Danny Sanders" wrote:

    > Sounds like you made your users domain admins instead of admin of their
    > local computer.
    > If so take them out of the domain admin group and, from their local computer
    > add their domain account to the local admin group.
    > They will be able to install, update, their local computer but no control
    > over the domain controllers.
    >
    > hth
    > DDS W 2k MVP MCSE
    >
    > "Dave W." <DaveW@discussions.microsoft.com> wrote in message
    > news:4CF603E6-B7BF-4382-8080-E6CF7C9AD2D6@microsoft.com...
    > > We use a Windows 2003 DC and have found that all of our users can choose
    > the "Manage" on "My Computer" and then choose the domain controller PC as
    > the PC to manage. They can then add shares, shut down services, etc. which
    > defeats all the security.
    > >
    > > How can I prevent users from specifying another computer name in the
    > computer management console snap-in and/or how do I restrict a computer from
    > allowing on specific users to connect.
    > >
    > > Note that all of our users are administrators which I know is bad, but
    > they are software developers and need to constantly re-install, update
    > registries, etc.
    > >
    > >
    >
    >
    >

  • Next message: Rick A. Butler: "Re: Authenticated users question"

    Relevant Pages

    • Re: Prevent users from installing applications
      ... Don't put your users in the power users or admin group in the domain OR ... their local computer. ... DDS W 2k MVP MCSE ...
      (microsoft.public.win2000.security)
    • Re: Computer Management Security Question
      ... Sounds like you made your users domain admins instead of admin of their ... If so take them out of the domain admin group and, from their local computer ... over the domain controllers. ...
      (microsoft.public.windows.server.security)
    • RE: how to add user to group
      ... permissions to add myselft to the admin group of the local computer. ... > file so when the user logs on it will add them to the admin group then it ...
      (microsoft.public.win2000.general)
    • Re: Problem with group security
      ... that gives him the choice of logging onto the local computer or the domain. ... He is choosing to log onto his local computer rather than the domain. ... A local account is not the same thing as a domain account. ... to the DC to authenticate him to the domain. ...
      (microsoft.public.win2000.security)
    • Re: domain problem
      ... I have problem in services that in my local computer when i try to ... Unedited ipconfig /all from the workstation that is having the problem, and from a workstation that is not having the problem. ... Any event log errors in the workstation and your domain controllers. ... And as Lanwench also said, some of the posts in Techarena do not go through properly from and to the Newsgroups, which is where the posts in Technarena get posted to, and responses come back from. ...
      (microsoft.public.windows.server.dns)