Re: Computer Management Security Question
From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 07/28/04
- Next message: Anette Andresen: "serialNumber in the subject field of a CA certificate"
- Previous message: abc: "Re: passfilt.dll"
- In reply to: Dave W.: "Re: Computer Management Security Question"
- Next in thread: Dave W.: "Re: Computer Management Security Question"
- Reply: Dave W.: "Re: Computer Management Security Question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 28 Jul 2004 00:40:46 -0700
And the GPO with this restricted group definition
is linked at the domain level rather than to an OU
in which the developers' machines are placed?
If so, then you are making them members of the
domain\administrators group as well as of each
machine\administrators group.
-- Roger Abell Microsoft MVP (Windows Server System: Security) MCSE (W2k3,W2k,Nt4) MCDBA "Dave W." <DaveW@discussions.microsoft.com> wrote in message news:595A1CC7-F169-4A9E-B7D2-61727A9F49B3@microsoft.com... > Hello Danny, > > No, they are not domain administrators, they only administrators on their own machines (although they do log in via the DC for authentication). The way I did this was I have a group policy that all staff belong to and in this policy, the "Restricted Groups" section has Administrators with members being Domain Admins and Domain Users. Thus, on their local PCs, when they receive the GP, their "administrators" group contains the "domain\domain admins" and "domain\domain users" as members. > > Further, each user account is restricted to permit them to log in ONLY to their own machine. Note that in monitoring the event log, it seems that they are gaining access because they have the "Se TakeOwnership Privilege". Is this something that I can turn off? > > "Danny Sanders" wrote: > > > Sounds like you made your users domain admins instead of admin of their > > local computer. > > If so take them out of the domain admin group and, from their local computer > > add their domain account to the local admin group. > > They will be able to install, update, their local computer but no control > > over the domain controllers. > > > > hth > > DDS W 2k MVP MCSE > > > > "Dave W." <DaveW@discussions.microsoft.com> wrote in message > > news:4CF603E6-B7BF-4382-8080-E6CF7C9AD2D6@microsoft.com... > > > We use a Windows 2003 DC and have found that all of our users can choose > > the "Manage" on "My Computer" and then choose the domain controller PC as > > the PC to manage. They can then add shares, shut down services, etc. which > > defeats all the security. > > > > > > How can I prevent users from specifying another computer name in the > > computer management console snap-in and/or how do I restrict a computer from > > allowing on specific users to connect. > > > > > > Note that all of our users are administrators which I know is bad, but > > they are software developers and need to constantly re-install, update > > registries, etc. > > > > > > > > > > > >
- Next message: Anette Andresen: "serialNumber in the subject field of a CA certificate"
- Previous message: abc: "Re: passfilt.dll"
- In reply to: Dave W.: "Re: Computer Management Security Question"
- Next in thread: Dave W.: "Re: Computer Management Security Question"
- Reply: Dave W.: "Re: Computer Management Security Question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
