Announcement

Collapse
No announcement yet.

AD permissions messed up (Was: Urgent!)

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • AD permissions messed up (Was: Urgent!)

    I have somehow disabled security measure which didn't allow any other user other than domain administrator to run Remote Desktop. Where exactly is this object located in group policy?
    Also folders I've shared only to administrator can be accessed by other users as well..

    Is it possible somehow that group policy is not applied for some reason?

  • #2
    Re: Urgent!

    Wow great choice of title.

    What setting did you change???

    What do you mean by the folders comment???

    What are the effective permissions for a non admin user???

    Comment


    • #3
      Re: Urgent!

      Be a little more specific. From what i understood all the users can conect via remote desktop and they connect to the shared folders where only the domain admins have rights.

      First check one user with this rights (in what groups belongs)
      Connect to one server where they have acces and check members of the local groups (Administrators, Remote..., Power users, etc.)
      check members of the Domain admins group
      check in what groups belongs "authenticate users" and "domain users"

      yea... great choice of title

      Comment


      • #4
        Re: Urgent!

        Originally posted by wullieb1 View Post
        Wow great choice of title.

        What setting did you change???

        What do you mean by the folders comment???

        What are the effective permissions for a non admin user???
        I installed another server as DC, then i upgraded reinstalled first one and installed 2008 r2 (before it was 2003)

        I think everything worked fine then.
        Then I used team viewer vpn to connect to server from outside. Can it be that somehow change permissions?

        By the folders comment i mean is that by default for example c$ folder on server is accessible by student account (i work in school and that student acc was restricted to access anything except folders explicitly shared for them)

        Same goes for superusers... such as teachers etc... now they are all able to connect to server or any other machine via remote administrator and access all the folders which are not shared (only if they are shared specifically to administrator only, they can't access them)

        Title is because every second this is set like this i risk student intrusion, and i'd really like to restore security as it was before as soon as possible.
        The thing is original group policy wasnt created by me, but im sure i didn't change anything.

        Comment


        • #5
          Re: Urgent!

          Originally posted by Dopicu View Post
          Be a little more specific. From what i understood all the users can conect via remote desktop and they connect to the shared folders where only the domain admins have rights.

          First check one user with this rights (in what groups belongs)
          Connect to one server where they have acces and check members of the local groups (Administrators, Remote..., Power users, etc.)
          check members of the Domain admins group
          check in what groups belongs "authenticate users" and "domain users"

          yea... great choice of title
          When i go to properties of some folder or drive, under security tab there is something like this
          [domain]/Admin > full control
          [domain]/Users > read

          So all i want is to disable remote admin to all but administrator
          and to disable access to all folders by default except those who i shared specificly

          Comment


          • #6
            Re: Urgent!

            btw. when i go to students group policy, and go to delegation, i can see list of users
            there are domain admins.. is that what should be deleted so those students don't have admin permissions?

            edit: i figured it's ok, so that means that admin have rights to change it.. so its ok i guess
            Last edited by kabir; 27th February 2012, 13:17.

            Comment


            • #7
              Re: Urgent!

              Originally posted by kabir View Post
              btw. when i go to students group policy, and go to delegation, i can see list of users
              there are domain admins.. is that what should be deleted so those students don't have admin permissions?
              Yes and the admin that added them needs sacked.

              Comment


              • #8
                Re: Urgent!

                Originally posted by kabir View Post
                Then I used team viewer vpn to connect to server from outside. Can it be that somehow change permissions?
                Teamviewer won't change permission on its own.

                What account did you login to the server with???

                Also Teamviewer is not RDP its a standalone application that gives you remote access over the web.

                Comment


                • #9
                  Re: Urgent!

                  I figured that active network profile on server isn't domain.. It's public. Does it have anything to do with it?

                  Comment


                  • #10
                    Re: Urgent!

                    Originally posted by kabir View Post
                    I figured that active network profile on server isn't domain.. It's public. Does it have anything to do with it?
                    ????

                    Is this on a DC???

                    Comment


                    • #11
                      Re: Urgent!

                      Originally posted by wullieb1 View Post
                      ????

                      Is this on a DC???
                      Yeah... although I'm logged to domain it shows public profile..
                      So that's it? It use totaly different policy for this profile?

                      how do i change it?

                      Comment


                      • #12
                        Re: Urgent!

                        Maybe this helps

                        http://support.microsoft.com/kb/2524478

                        Comment


                        • #13
                          Re: Urgent!

                          This is the firewall profile?

                          Title edited...
                          Tom Jones
                          MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
                          PhD, MSc, FIAP, MIITT
                          IT Trainer / Consultant
                          Ossian Ltd
                          Scotland

                          ** Remember to give credit where credit is due and leave reputation points where appropriate **

                          Comment


                          • #14
                            Re: AD permissions messed up (Was: Urgent!)

                            Control Panel\Network and Internet\Network and Sharing Center\Advanced sharing settings

                            note:

                            I tested one XP client, rules still apply (ie. student cannot access forbiden things) but he can access c$ folders of all machines including server

                            Comment


                            • #15
                              Re: AD permissions messed up

                              I will once more explain my situation, hopefully its gonna be more clear now.

                              I have a serious problem with my domain at work. I work in a school, we used to have one windows 2003 server as a DC.
                              Meanwhile I installed another server with 2008 r2 platform and set it as additional DC. Then I reinstalled the first one so, now both of them have 2008 r2 operating system.
                              Active directory with users and policies was created few years ago and worked fine. There were basically 3 types of users:

                              - student (user with minimal rights)
                              - teacher, and other staff (SuperUser)
                              - administrator (domain admin)

                              Until few days everything worked fine, as only administrator was able to use Remote Desktop or access for example server's c$ or d$ drive.
                              Now somehow it's all messed up, and I don't recall doing any changes in AD or GP.

                              So symptoms are these:
                              - Students, teachers and all other users are able to connect via remote desktop to any machine including server.
                              - All of them are able to access \\server\c$ or similar folders by DEFAULT (this did not change on other workstations, only servers)

                              So my questions are these:
                              Does anyone know this kind of behaviour from experience to give me fast solution?
                              If not, where exactly in active directory group policy I can reset those options:
                              - forbid using of remote desktop for all user except Administrator
                              - forbid browsing of any folders by any users unless it's specifically shared to that user


                              Another thing:
                              From a XP computers lately I've been getting message that I can't run Remote Administrator, no matter if I'm logged as administrator or other user
                              Does it have something to do with the fact I've raised functionality level of domain to 2008 r2? Message displayed is:
                              "Remote computer requires network level authentication, which your computer does not support."

                              What can I do to make XP machine run remote desktop?

                              Comment

                              Working...
                              X