Re: Adding Computers to the Domain (AD)
From: Miha Pihler [MVP] (mihap-news_at_atlantis.si)
Date: 03/16/05
- Previous message: Miha Pihler [MVP]: "Re: Adding Computers to the Domain (AD)"
- In reply to: bonehead: "Re: Adding Computers to the Domain (AD)"
- Next in thread: mark h turpin _at_ gmail com: "Re: Adding Computers to the Domain (AD)"
- Reply: mark h turpin _at_ gmail com: "Re: Adding Computers to the Domain (AD)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 16 Mar 2005 23:25:02 +0100
Even if users adds computer to domain it will not grant him/her and
additional permissions in domain that they didn't have before on same
computer that was not part of domain... What it does give to user is easier
access to resources (access that they had before they added computer to
domain). At same time it gives administrator a good control on what is
installed and running on computer since group policy is applied to computer
added to domain.
***
Again I would like to stress that I work in different environments --
environment that allow or prohibits users from adding computer to domain.
What I would like to do here is point out few problems and few solutions :-)
and maybe I can learn something new.
If you prevent users from adding computers to domain be aware that viruses
can still be spread. What you can do (beside writing a security policy that
I mentioned in my other post) is:
a) 802.1x where computers must be authenticated before they are connected to
the network. Solution can be a bit pricy since network switch must support
this...
b) don't patch every network outlet (but this can be bypassed since users
can disconnect their company owned computer and connect their private
computer to domain (this is where security policy can help out -- if users
are aware of it)...
-- Mike Microsoft MVP - Windows Security > Miha, you previously wrote: >> My view on this is that you already expressed your trust in user by >> giving him username and password to domain. If he/she adds computer to >> domain this doesn't give them any more permissions on domain that they >> had before, it just make their work easier (access to resources)... > > Okay, I disagree here. Unless you're willing to provide a detailed > definition of your use of the word "trust", giving a user a domain account > should only mean that you're allowing the user to have access to > <em>some</em><em>existing</em> domain resources, including > <em>some</em><em>existing</em> domain computers. > > It certainly shouldn't mean that they should be allowed to just plug in > any virus/worm/trojan infected laptop (or any device at all, for that > matter) into my network unless <em>I</em> am thoroughly satisfied that > that particular device is clean and secure. > > Personally, I tend to agree more with Mr. Smith, who wrote: >> How do I find out who added what computer to the domain so I can go beat >> the user with a patch cable for doing so w/o my permission? >
- Previous message: Miha Pihler [MVP]: "Re: Adding Computers to the Domain (AD)"
- In reply to: bonehead: "Re: Adding Computers to the Domain (AD)"
- Next in thread: mark h turpin _at_ gmail com: "Re: Adding Computers to the Domain (AD)"
- Reply: mark h turpin _at_ gmail com: "Re: Adding Computers to the Domain (AD)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
