-
April 21st, 2013, 08:39 PM
#1
Keeping a Domain User Off Other Machines
I have a user on a network that has local admin rights. Other users in the office are running as Users. The problem is that this admin user is logging on other machines and installing software. Due to company politics, his boss will not tell him to stop, I am only allowed to block his access to the other machines. I looked online but couldn't find the procedure to deny access by machine to a particular user using the AD. Anyone know how to do this or can point me in the right direction.
Windows Server 2012 Domain
Windows 7 and XP Workstations
-
April 21st, 2013, 08:44 PM
#2
Nevermind. Found the answer.
In the properties for the user in the Active Directory, go to the account tab and select the "Logon To..." button. There you can specify access to specific machines only.
-
May 1st, 2013, 08:12 PM
#3
On various finance and IT machines I remove domain users access explicitly on the machine .... by default MS allows users to log into all domain workstations.. when joining the domain it adds domain users to the local user group, domain admins and administrator to the local administrator group. I remove all except for the specific user and all powerful domain administrator.
MLF
How people treat you is their karma- how you react is yours-Wayne Dyer
-
May 3rd, 2013, 07:51 PM
#4
I employed another method of doing this in a large school; after using a naming convention on all machines (which an 'S' at the end of the name indicated a student use machine) it made it easy to organise AD into a decent OU layout.
Using group policy applied to either the student machines OU (or using policy filtering for any machine without *S) denied logon locally to a security group that had all students... In large networks I often use group nesting for granulated policies so 'students' group contained no users but another set of groups which may have again contained no users but another set of groups until the groups actually had the users listed.
I also had the staff machines grouped into departments (teaching, admin, finance) and used group policy to add the ONLY that department staff admin rights to ONLY that departments machines (group nesting for the Win again). Although any staff could log on to any machine, admin rights were granted only to the staff whom belonged to that department.
Group nesting may seem like needless work; but when comes to future changes like adding a new user to the domain; you only need to add said user to a single group and every group policy is applied... no need to find 10 policies and add this new user to them etc. Its very late here I hope anyone reading this understands the concept without enumerating the whole benefit.... just ask I will go into complete detail - this is partly the fall down with using the Log on to option IMO.
...
Sadly the fall down in your case is that if the user is granted admin rights to any PC; you are restricting which machines they can log on to using their own account. If it was me and I wanted to install software; I'd login, create a local admin account and use that account to install software
"Any intelligent fool can make things bigger and more complex... It takes a touch of genius --- and a lot of courage to move in the opposite direction."
- Albert Einstein
-
May 3rd, 2013, 07:58 PM
#5
I'm just thinking of the OU layout I had back then as it been a few years... but I found it worked very well for applying policies.
Site
-Users
--Students
---Year/Grade (OU for each K-12)
--Staff
---Departments (OU for each)
-Machines
--Students
---Location/Lab/Wing (OU for each)
--Staff
---Location/Department (OU for each)
-Security Groups
--(almost identical layout to the user and machines OUs.... yes I had groups for the machines aswell)
"Any intelligent fool can make things bigger and more complex... It takes a touch of genius --- and a lot of courage to move in the opposite direction."
- Albert Einstein
Similar Threads
-
By zillah in forum Operating Systems
Replies: 12
Last Post: December 24th, 2009, 01:57 PM
-
By D3V!L in forum Newbie Security Questions
Replies: 4
Last Post: September 27th, 2006, 02:01 PM
-
By FallenZer0 in forum Operating Systems
Replies: 6
Last Post: October 20th, 2004, 01:08 PM
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|