Windows Thread, Restricting MMC. in Technical; Hi.
Is there a way to restrict what parts of MMC users can access?
I do have a GPO in ...
8th January 2008, 01:06 PM #1
IDG Tech News
8th January 2008, 01:18 PM #2
Depends what you're trying to accumplish. If you want teachers to have access to change things in AD, then resticting MMC won't be of much use to use - you can restict what snapins they can load, whether they can edit within it or not, but after that, it's a free-for-all.
It sounds like you need to look into delegating AD control.
A good starting point: http://www.microsoft.com/downloads/d...DisplayLang=en
8th January 2008, 01:27 PM #3
- Rep Power
What i want to do is restrict what parts of users and computers they can access, and what they can and cant do.
For example, at the moment, they have full access to users and computers. So they can move things around, change passwords for anyone, etc;
I want to restrict it so that they can only change passwords for users in certain OUs. So that things in other OUs, and other functions, are denyed to them.
8th January 2008, 01:38 PM #4
Definately want to looking into AD delegation then Exactly what it does.
Take a look at that MS documents & http://www.windowsecurity.com/articl...istration.html to get an idea.
8th January 2008, 01:49 PM #5
- Rep Power
Ive looked at that, and some other google articles.
All that appears to allow me to do is allow users to do things.
Theres no deny/hide functions in there.
I want staff to be only able to see the pupil OUs, and only be able to change passwords in it. Nothing else.
Every other OU, and functions like move/new/etc; i want to remove access to.
8th January 2008, 01:59 PM #6
I have this setup so ICT staff can change passwords and nothing else all using MMC and account delegation.
Attached is the document I give out to our ICT staff is this the sort of thing you are trying to do??
If so I will dig out the step by step instructions on how to set it up.
Last edited by ICTNUT; 8th January 2008 at 02:02 PM.
Reason: Attachment not right
8th January 2008, 01:59 PM #7
- Rep Power
Using the delegate control thing on one test user and two test OUs.
Ive given the user password changing options on one OU, and using the advanced view in AD, changed the permissions on the other to deny everything.
Yet the user can still do everything in both OUs!?
8th January 2008, 02:05 PM #8
- Rep Power
Ive managed to hide the OU by disabling the security permissions from inheriting from above.
Then removing all references to the test user, then re-adding the deny permission.
Im a little bit hesitant about applying the same technique to every folder in AD that i want to restrict though. Will it not cause problems?
8th January 2008, 02:07 PM #9
It all depends on what permissions the user has within AD, the way to get round this is to create a security group in AD i.e. ICT_Staff_PWD_Chg, use the account delegation wizard to allow this group only to change user passwords.
This way you can just add and remove users as you need without having to modify thier permissions.
This is how I have it setup and works fine.
8th January 2008, 02:10 PM #10
You may also want to take a look at creating custom MMC's or taskpads:
And how to roll out custom adminpak.msi installations thus restricting what can be accessed further:
8th January 2008, 02:14 PM #11
- Rep Power
Thats what i would do.
Originally Posted by ICTNUT
But just focusing on the test user, its still allowing read/write access to everything else, even though in the delegation wizard thing i selected only password changing.
The way ive found to do what i want, is to remove inherit permissions from an OU, then remove the references to the test user, then re-add a deny full control. This removes that OU from the MMC when that user uses it.
Im hesitant to do this to all but the pupil OUs for fear of messing something up. For example, do the permissions for delegation (in regards to OU security), affect anything else but MMC access to those parts?
I dont want to spend 20mins denying the staff group access to everything in AD apart from the pupils OU, only to find that it messes up their ability to log on, print, access share, access programs, etc;
8th January 2008, 02:21 PM #12
What security rights do your staff have, mine are mere Domain Users thats it.
As a domain user there is little that you can do within ADUC anyhow.
I created a custom MMC and rolled that out to ICT IWB PC's without any problems, and although the options to disable accounts, delete accounts etc... still appear when you right click, selecting them gives you an access denied error.
If your staff have custom security permissions or are higher than mere domain users this could be the reason why they are still able to do the things you don't want.
Editing the folder permissions will have a knock on effect with other areas of AD hence the custom security group, and no having to edit permissions directly.
8th January 2008, 02:24 PM #13
8th January 2008, 02:35 PM #14
8th January 2008, 02:52 PM #15
I have my AD setup as follows:
Year 7 OU
Year 8 OU
Year 9 OU
Year 10 OU
Year 11 OU
Year 12 OU
Year 13 OU
All my year OU's are within the Student OU
I then simply create the view pointing to the Students OU and INCLUDE all sub OU's thus eliminating the need to do per OU
If your setup is like this:
Where each year is it's own top level OU then yes would would need to select each OU on by one.
Last edited by ICTNUT; 8th January 2008 at 02:54 PM.
By Espada in forum Windows
Last Post: 6th December 2007, 06:51 PM
By beast_gts in forum Windows
Last Post: 28th June 2007, 10:26 PM
By strawberry in forum Windows
Last Post: 30th April 2007, 10:30 AM
By edie209 in forum Windows
Last Post: 11th July 2006, 05:56 PM
By tarquel in forum School ICT Policies
Last Post: 10th July 2005, 05:13 PM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)