Re: Deny rights question
From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 01/10/05
- Next message: Dave W: "MS CM VPN Client Certificate Selection"
- Previous message: Steven L Umbach: "Re: Changing Global Group to Domain Local Group."
- In reply to: Jeff Cichocki: "Deny rights question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 10 Jan 2005 13:04:50 -0600
There are some folders that they will be able to open by default on a domain
controller such as sysvol. They would be able to open and list any share
that has share and ntfs permissions for everyone/users/authenticated users
or other groups that they are members of. If these folders are restricted to
"administrators" for permissions then you want to be sure to double check
membership in the domain admins, enterprise admins [if available] and
administrators groups in Active Directory Users and Computers. If they can
access the default hidden admin share on a domain controller such as C$, you
know they have excessive permissions in the domain. --- Steve
"Jeff Cichocki" <jeffc@belgioioso.com> wrote in message
news:unxM%23hy9EHA.3236@TK2MSFTNGP15.phx.gbl...
>I have a new 2003 environment that is managing some XP machines. A few of
>the XP machines have users that set up as local admins to their respective
>machines. Is there a way to prevent their local admin rights from giving
>them admin rights to the domain servers? Specifically, they can browse the
>network and open any folder on the server because of this scenario.
>
> Thanks
>
> Jeff
>
- Next message: Dave W: "MS CM VPN Client Certificate Selection"
- Previous message: Steven L Umbach: "Re: Changing Global Group to Domain Local Group."
- In reply to: Jeff Cichocki: "Deny rights question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
