Announcement

Collapse
No announcement yet.

GPO -- deny netbios rename

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • GPO -- deny netbios rename

    Hello ALL,

    Im running into a problem. Too many users in my org are Administrators on quite a few Win2k3 production machines. We are running into the issue of those 'pesky admins' renaming netbios names and never telling anyone. This makes it hard for us domain admins to keep track of whats been renamed for our record keeping.

    Is there a GPO that I can put in place at the domain level that will only allow the renaming of the netbios names to Domain Admins' only?

  • #2
    Re: GPO -- deny netbios rename

    Have not tested it, but you might want to try editing defaultSecurityDescriptor of the "computer" object class and remove write permission on "Write computer name (pre-Windows 2000)" property from CREATOR OWNER.

    The only caveat I can think of is the actuall process of joining the computer to domain - you will need to test whether the change allows non Domain Admins to create/pre-create computer accounts without issues.

    Another option would be to re-ACL the DLL responsible for "Computer Name" tab in the GUI - saw this trick once and seam not to be able to find the DLL name in question... This will not prevent local admins from using command line tools like netdom, but will give them a hard time when using GUI.
    Guy Teverovsky
    "Smith & Wesson - the original point and click interface"

    Comment


    • #3
      Re: GPO -- deny netbios rename

      Originally posted by guyt View Post
      Have not tested it, but you might want to try editing defaultSecurityDescriptor of the "computer" object class and remove write permission on "Write computer name (pre-Windows 2000)" property from CREATOR OWNER.

      .
      Where can i find this option?

      Comment


      • #4
        Re: GPO -- deny netbios rename

        I started writing an answer, but realized that it would be quite a long one. I just blogged it instead:
        http://blogs.microsoft.co.il/blogs/g...ers-in-AD.aspx

        Guy Teverovsky
        "Smith & Wesson - the original point and click interface"

        Comment


        • #5
          Re: GPO -- deny netbios rename

          great article.. ^^

          my only issue is that this shows you how to fix it if the person renaming the machine was the one who added it to the domain.

          Comment


          • #6
            Re: GPO -- deny netbios rename

            The article deals with permissions explicitly applied to the computer object upon it's creation. It does not take into account permissions inherited from containers/OUs the object resides in.
            If you have accounts that have rights over OUs/containers, you will have to lock the permissions on the containers (same ACEs apply in this case - take a look who has "Write computer name pre-Windows 2000" in the container's ACL).

            In addition, you might want to implement some sort of monitoring script that scans specific OUs and locks ("moves to OU where only DAs have permissions and GPOs that let only DAs to logon to those computers" comes to my mind) the computer objects that do not meet naming conventions. After couple of times that some application admin's server gets locked, they will comply
            Guy Teverovsky
            "Smith & Wesson - the original point and click interface"

            Comment


            • #7
              Re: GPO -- deny netbios rename

              whats the command line so that i can check the acl's on the containers in AD?

              Comment

              Working...
              X