+ Post New Thread
Results 1 to 8 of 8
Windows Server 2000/2003 Thread, Students can install software! I can't find where this was set. in Technical; I'm doing a bit of work in a school where the last guy set up the 2003 domain as if ...
  1. #1

    Join Date
    Apr 2008
    Location
    Dublin
    Posts
    60
    Thank Post
    16
    Thanked 6 Times in 6 Posts
    Rep Power
    14

    Students can install software! I can't find where this was set.

    I'm doing a bit of work in a school where the last guy set up the 2003 domain as if it was NT. GPMC wasn't installed when I arrived. He has given students permission to install whatever they want. I can't find where he gave them this ability. I've looked at the Default Domain Policy, run RSOP on the OU containing the student account, and then searched in AUDC for Authenticated Users being a member of Administrators etc. I also created a test account and it had all the permissions it shouldn't, too.

    Anyone any ideas?

  2. #2

    Join Date
    Nov 2007
    Location
    Rotherham
    Posts
    1,675
    Thank Post
    122
    Thanked 126 Times in 102 Posts
    Rep Power
    45
    Have you looked on the local computer? Maybe the "domain users" has been added to the PC's Local admin group? Or something allong those lines?

  3. Thanks to Stuart_C from:

    BBrian (23rd August 2010)

  4. #3
    ChrisH's Avatar
    Join Date
    Jun 2005
    Location
    East Lancs
    Posts
    4,999
    Thank Post
    120
    Thanked 280 Times in 258 Posts
    Rep Power
    106
    Look under restricted groups in the relevant GPOs.

  5. Thanks to ChrisH from:

    BBrian (23rd August 2010)

  6. #4

    Join Date
    Nov 2009
    Location
    North Walsham
    Posts
    118
    Thank Post
    45
    Thanked 8 Times in 8 Posts
    Rep Power
    11
    Not sure of the top of m head but whilst you get to the bottom of you could use GP to disable running of extensions associated with software such as .exe, .msi, etc....this will be a temporary fix.

  7. #5
    oxide54's Avatar
    Join Date
    Mar 2009
    Posts
    798
    Thank Post
    51
    Thanked 55 Times in 54 Posts
    Rep Power
    22
    if you install XP fresh on a computer and join it to the domain do they still have the permission?

    at least that way you will know whether its in a GPO or just on the machines,

  8. Thanks to oxide54 from:

    BBrian (23rd August 2010)

  9. #6

    3s-gtech's Avatar
    Join Date
    Mar 2009
    Location
    Wales
    Posts
    2,712
    Thank Post
    144
    Thanked 548 Times in 492 Posts
    Rep Power
    149
    Do you have a GPO for your students now? An important setting is in User Configuration/Administrative Templates/Windows Components/Windows Installer - Always install with elevated privileges.

    I have also found that programs that don't use the Windows Installer to install have managed to get onto the system - I have denied students write access to the root of C:\ and root of Program Files using Security Policies.

  10. #7

    Join Date
    Feb 2006
    Location
    South Cumbria
    Posts
    199
    Thank Post
    26
    Thanked 29 Times in 24 Posts
    Rep Power
    22
    Have you tried modelling the group policy - this will show you which policies are being applied to an OU

  11. #8

    Join Date
    Apr 2008
    Location
    Dublin
    Posts
    60
    Thank Post
    16
    Thanked 6 Times in 6 Posts
    Rep Power
    14
    Great suggestions, thanks. Here's what I found.

    Quote Originally Posted by oxide54 View Post
    if you install XP fresh on a computer and join it to the domain do they still have the permission?

    at least that way you will know whether its in a GPO or just on the machines,
    I joined a VM to the domain and the pupil account was just a regular user account. So:


    Quote Originally Posted by Stuart_C View Post
    Have you looked on the local computer? Maybe the "domain users" has been added to the PC's Local admin group? Or something allong those lines?
    Domain Users had been added to Administrators on the local computer! So what I did was:


    Quote Originally Posted by ChrisH View Post
    Look under restricted groups in the relevant GPOs.
    And read up on it at WindowSecurity.com and fixed it.


    The other posts were good ideas but I'm glad to have corrected this properly.

SHARE:
+ Post New Thread

Similar Threads

  1. Replies: 1
    Last Post: 3rd August 2010, 09:35 AM
  2. [SIMS] has lost set lists for students!! [Solved]
    By bossman in forum MIS Systems
    Replies: 4
    Last Post: 7th June 2010, 11:50 AM
  3. Replies: 2
    Last Post: 26th February 2010, 03:33 PM
  4. Replies: 0
    Last Post: 1st November 2009, 06:41 PM
  5. Replies: 19
    Last Post: 19th April 2006, 11:57 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •