Announcement

Collapse
No announcement yet.

Domain Admin access to users PC

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Domain Admin access to users PC

    We have just changed from a Novell network to MS running Active Directory. Do the Forest and domain admins automatically have browse/read access to to the files on the users PC's who are logged into the domain, and if so - can the Admins be blocked by a standard user?

  • #2
    Re: Domain Admin access to users PC

    domain admins have access to \\PC\\c$ and everything else
    ________
    Volcano Vaporizers
    Last edited by DYasny; 6th March 2011, 18:20.
    Real stupidity always beats Artificial Intelligence (c) Terry Pratchett

    BA (BM), RHCE, MCSE, DCSE, Linux+, Network+

    Comment


    • #3
      Re: Domain Admin access to users PC

      That's what I thought. But is there a way to block an Enterprise or domain admin at the PC level or at least an OU level so they do not have rights to another users files on their PC?

      Comment


      • #4
        Re: Domain Admin access to users PC

        yup, possible on the PC level - disable the $ shares
        ________
        Og Kush Seeds
        Last edited by DYasny; 6th March 2011, 18:20.
        Real stupidity always beats Artificial Intelligence (c) Terry Pratchett

        BA (BM), RHCE, MCSE, DCSE, Linux+, Network+

        Comment


        • #5
          Re: Domain Admin access to users PC

          Domain Admins are added to the local Administrators group on every computer that joins the domain. You can use Restricted Groups to remove this.

          Comment


          • #6
            Re: Domain Admin access to users PC

            You could design a GPO to remove domain admins from the local administrators built-in group, but I am afraid a Domain Admin could at worst edit or unlink said GPO.

            Do you consider it that bad that people who run the Domain (and they often run the file servers as well) can access the data on client computers?

            If you do, you will have to look into a rather complicated delegation setup.
            VCP on vSphere (4), MCITP:EA/DBA, MCTS:Blahblah

            Comment


            • #7
              Re: Domain Admin access to users PC

              Always ensure that you have a backdoor plan before removing Domain Admins from the local admins group. You could end up shooting yourself in the foot otherwise


              MurTuzA
              The Never Ending Loop of User Rights
              START
              Q. Why is Windows so insecure?
              A. Because everyone runs as Administrator.
              Q. Why does everyone run as Administrator (even when they know better)?
              A. Because they don't understand security and are afraid they will be prevented from doing things.
              Q. Why don't they understand security?
              A. Because they run as Administrator, bypassing all security.
              LOOP TO START

              Comment


              • #8
                Re: Domain Admin access to users PC

                Yeah well, also make sure you don't do it on the Default Domain Policy
                VCP on vSphere (4), MCITP:EA/DBA, MCTS:Blahblah

                Comment

                Working...
                X