Announcement

Collapse
No announcement yet.

Explicitly restricting certain activies from admins

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Explicitly restricting certain activies from admins

    It's hard for me to determine exactly where to post this... Windows Server, Active Directory, or GPO... it would be more clear if I knew the answer to my question.

    Anyhow....

    I have two Windows 2008 Servers that I recently setup and am ready to hand over to a very small team of developers and support personnel.

    The scenario is that I want them to be able to do anything on the servers they need to do, EXCEPT change the domain--- which means also that I would need them to not be able to modify the local users group.

    I've poked all around GPO and haven't found really what I'm looking for. I read about restricted groups and that's not quite right. Anyone have any ideas?

    The reasoning:
    I want these guys to be able to do whatever they need on this machine to administer and support people, and if they feel like I'm trying to tie their hands, they might complain to management and cause some friction that nobody wants to deal with... also I need them to not feel like I don't trust them.

    All I'm trying to do is run remote inventory on the machine, and have these guys use their domain accounts via RDP over the LAN to manage the server. Currently they all use the local admin account and VNC (exposed to the web!) on the server we are replacing that they manage which I feel is BAD practice. Also, by order from my upper management, if one of these guys becomes disgruntled, I need to be able to remotely commandeer these machines and lock them out (they are several states away, as are the servers).

  • #2
    Re: Explicitly restricting certain activies from admins

    Hi

    First of all I am not sure that if you have a domain (Active Directory)Enviornment or standalone servers, As there is nothing called as Local users or local admins once you promote a machine as a Domain controller.

    Assuming that its a domain enviornment i would need the exact list of the tasks you want these people to be able to do and also what all you not want them to do.

    Karan
    Last edited by Ossian; 5th December 2009, 11:41. Reason: MOD EDIT removed link
    Best Regards,
    Pledge Technologies

    Comment


    • #3
      Re: Explicitly restricting certain activies from admins

      These machines I'm giving them will not be Domain Controllers, so there is a set of local users. The servers are domain members, so the admins of these machines will be using their domain accounts to log in.

      The idea is that I can remove their domain account rights from the machine if necessary, although VERY unlikely. The admins of these machines are in an Active Directory group, and I've added that group to the local admin groups of these machines.

      Unfortuantely, I do not know exactly what they will need to do, otherwise I could definitely start opening up rights to a super user role. All I can say for sure is that I need them to NOT be able to remove it from the domain.... so I'm trying to come at the other direction by giving them admin accounts and then removing rights--- although it seems impossible.

      Comment


      • #4
        Re: Explicitly restricting certain activies from admins

        HI

        Given the Fact that they are already Local Admins on the box, its difficult to restrict them from changing local user and grps and also the domain membership. The only solution i can think of is, if i can restrict there access to sysdm.cpl( to change domain membership) and also Local user and grps.

        Prevent access to Local users and grps
        There is a policy under User\admin templates\MMC

        Prevent Access to system properties
        Couldn't find any policy for the same ( lemme know if you do )
        Go to c:\windows\system32\sysdm.cpl
        Either move the file from there or deny the security access of the given users to it.

        All the solution is assuming that your users are not very advanced technically

        Karan
        Last edited by Ossian; 5th December 2009, 11:41. Reason: Removed Link
        Best Regards,
        Pledge Technologies

        Comment


        • #5
          Re: Explicitly restricting certain activies from admins

          Yes, they are local admins but I haven't handed the box to them yet so I can easily change that now.... yet I don't think there is a better way.

          I will check into your suggestions after the weekend and report back the results. I will test it before handing it over.

          Thanks!!

          Comment


          • #6
            Re: Explicitly restricting certain activies from admins

            Well if you have an option of not making them a local admin....then your problem is all done...by the time they are not a local admin...they can't change domain membership and user membership

            Moreover you always have an option to disable local users and grps through policy
            Best Regards,
            Pledge Technologies

            Comment


            • #7
              Re: Explicitly restricting certain activies from admins

              Unfortunately, I don't really have that option because I don't know enough about what they need to do on these machines to open up access on another type of account. I need to let them have full access to do anything that might need to do, I just need to ensure the machines stay on the domain and they stick to their domain accounts.

              Comment


              • #8
                Re: Explicitly restricting certain activies from admins

                sysdm.cpl restriction seemed to have done the trick. I gave ownership to the domain admin group (which they are not members of), and removed local administrators and users access to it.

                When I tried to open it with a test account, it gives some BS error.

                Of course, one of these guys might go in and play with the permissions to undo this, but we can deal with that accordingly should that be the case. That would mean that it was a deliberate action, not an accidentaly "oh i moved it from the domain to test something", because I asked them specifically not to remove this machine from the domain.

                I guess someone in that group could run the system properties tool on another machine and point it at this one, but at least it would take some know-how that I don't think these guys have.


                I just need to find the local users and groups file and restrict it down. I will search for it later and report back my results.

                Comment


                • #9
                  Re: Explicitly restricting certain activies from admins

                  HI

                  As i said before for local users and groups there is a policy to restrict the MMC in user\admintemplate\MMC ( something like this) , with the help of this I can even restrict the built in Admin/ or for the sake Enterprize admin from accessing the Local user and computer

                  If you couldn't find the policy , i will giv you the exact path

                  thanks
                  karam
                  Best Regards,
                  Pledge Technologies

                  Comment

                  Working...
                  X