Re: Computer Management Security Question
From: Dave W. (DaveW_at_discussions.microsoft.com)
Date: Tue, 27 Jul 2004 14:15:02 -0700
No, they are not domain administrators, they only administrators on their own machines (although they do log in via the DC for authentication). The way I did this was I have a group policy that all staff belong to and in this policy, the "Restricted Groups" section has Administrators with members being Domain Admins and Domain Users. Thus, on their local PCs, when they receive the GP, their "administrators" group contains the "domain\domain admins" and "domain\domain users" as members.
Further, each user account is restricted to permit them to log in ONLY to their own machine. Note that in monitoring the event log, it seems that they are gaining access because they have the "Se TakeOwnership Privilege". Is this something that I can turn off?
"Danny Sanders" wrote:
> Sounds like you made your users domain admins instead of admin of their
> local computer.
> If so take them out of the domain admin group and, from their local computer
> add their domain account to the local admin group.
> They will be able to install, update, their local computer but no control
> over the domain controllers.
> DDS W 2k MVP MCSE
> "Dave W." <DaveW@discussions.microsoft.com> wrote in message
> > We use a Windows 2003 DC and have found that all of our users can choose
> the "Manage" on "My Computer" and then choose the domain controller PC as
> the PC to manage. They can then add shares, shut down services, etc. which
> defeats all the security.
> > How can I prevent users from specifying another computer name in the
> computer management console snap-in and/or how do I restrict a computer from
> allowing on specific users to connect.
> > Note that all of our users are administrators which I know is bad, but
> they are software developers and need to constantly re-install, update
> registries, etc.