Re: Computer Management Security Question
From: Dave W. (DaveW_at_discussions.microsoft.com)
Date: 07/28/04
- Next message: GRCC: "Re: Authenticated users question"
- Previous message: Christian Schindler: "Re: Security of Private Key Recovery"
- In reply to: Roger Abell: "Re: Computer Management Security Question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 28 Jul 2004 07:49:01 -0700
Roger,
The GPO is linked to a specific OU (called developer staff) where all the PCs and the user accounts exist for the development staff. The DC and other PCs (NAS servers, etc) all exist in a different OU and the GPO for that alternate OU does not contain any of the restricted group policies.
Great suggestion though, thanks Roger and let me know if you can think of anything else.
Dave
"Roger Abell" wrote:
> And the GPO with this restricted group definition
> is linked at the domain level rather than to an OU
> in which the developers' machines are placed?
> If so, then you are making them members of the
> domain\administrators group as well as of each
> machine\administrators group.
>
> --
> Roger Abell
> Microsoft MVP (Windows Server System: Security)
> MCSE (W2k3,W2k,Nt4) MCDBA
> "Dave W." <DaveW@discussions.microsoft.com> wrote in message
> news:595A1CC7-F169-4A9E-B7D2-61727A9F49B3@microsoft.com...
> > Hello Danny,
> >
> > No, they are not domain administrators, they only administrators on their
> own machines (although they do log in via the DC for authentication). The
> way I did this was I have a group policy that all staff belong to and in
> this policy, the "Restricted Groups" section has Administrators with members
> being Domain Admins and Domain Users. Thus, on their local PCs, when they
> receive the GP, their "administrators" group contains the "domain\domain
> admins" and "domain\domain users" as members.
> >
> > Further, each user account is restricted to permit them to log in ONLY to
> their own machine. Note that in monitoring the event log, it seems that they
> are gaining access because they have the "Se TakeOwnership Privilege". Is
> this something that I can turn off?
> >
> > "Danny Sanders" wrote:
> >
> > > Sounds like you made your users domain admins instead of admin of their
> > > local computer.
> > > If so take them out of the domain admin group and, from their local
> computer
> > > add their domain account to the local admin group.
> > > They will be able to install, update, their local computer but no
> control
> > > over the domain controllers.
> > >
> > > hth
> > > DDS W 2k MVP MCSE
> > >
> > > "Dave W." <DaveW@discussions.microsoft.com> wrote in message
> > > news:4CF603E6-B7BF-4382-8080-E6CF7C9AD2D6@microsoft.com...
> > > > We use a Windows 2003 DC and have found that all of our users can
> choose
> > > the "Manage" on "My Computer" and then choose the domain controller PC
> as
> > > the PC to manage. They can then add shares, shut down services, etc.
> which
> > > defeats all the security.
> > > >
> > > > How can I prevent users from specifying another computer name in the
> > > computer management console snap-in and/or how do I restrict a computer
> from
> > > allowing on specific users to connect.
> > > >
> > > > Note that all of our users are administrators which I know is bad, but
> > > they are software developers and need to constantly re-install, update
> > > registries, etc.
> > > >
> > > >
> > >
> > >
> > >
>
>
>
- Next message: GRCC: "Re: Authenticated users question"
- Previous message: Christian Schindler: "Re: Security of Private Key Recovery"
- In reply to: Roger Abell: "Re: Computer Management Security Question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
