+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 30
Windows Thread, Restricting MMC. in Technical; Hi. Is there a way to restrict what parts of MMC users can access? I do have a GPO in ...
  1. #1

    Join Date
    Nov 2007
    Posts
    554
    Thank Post
    3
    Thanked 3 Times in 3 Posts
    Rep Power
    16

    Restricting MMC.

    Hi.
    Is there a way to restrict what parts of MMC users can access?
    I do have a GPO in place that stops people accessing things like DNS/DHCP/whatnot, but i still allow teachers access to the AD for users so they can edit passwords. Is there a way to make restrictions within that as well though?

    Thanks in advance all. .

  2. #2
    Diello's Avatar
    Join Date
    Jun 2005
    Location
    Kent, England
    Posts
    1,063
    Thank Post
    112
    Thanked 228 Times in 128 Posts
    Rep Power
    74
    Depends what you're trying to accumplish. If you want teachers to have access to change things in AD, then resticting MMC won't be of much use to use - you can restict what snapins they can load, whether they can edit within it or not, but after that, it's a free-for-all.

    It sounds like you need to look into delegating AD control.

    A good starting point: http://www.microsoft.com/downloads/d...DisplayLang=en

  3. #3

    Join Date
    Nov 2007
    Posts
    554
    Thank Post
    3
    Thanked 3 Times in 3 Posts
    Rep Power
    16
    What i want to do is restrict what parts of users and computers they can access, and what they can and cant do.
    For example, at the moment, they have full access to users and computers. So they can move things around, change passwords for anyone, etc;
    I want to restrict it so that they can only change passwords for users in certain OUs. So that things in other OUs, and other functions, are denyed to them.

  4. #4
    Diello's Avatar
    Join Date
    Jun 2005
    Location
    Kent, England
    Posts
    1,063
    Thank Post
    112
    Thanked 228 Times in 128 Posts
    Rep Power
    74
    Definately want to looking into AD delegation then Exactly what it does.

    Take a look at that MS documents & http://www.windowsecurity.com/articl...istration.html to get an idea.

  5. #5

    Join Date
    Nov 2007
    Posts
    554
    Thank Post
    3
    Thanked 3 Times in 3 Posts
    Rep Power
    16
    Ive looked at that, and some other google articles.
    All that appears to allow me to do is allow users to do things.
    Theres no deny/hide functions in there.

    I want staff to be only able to see the pupil OUs, and only be able to change passwords in it. Nothing else.
    Every other OU, and functions like move/new/etc; i want to remove access to.

  6. #6
    ICTNUT's Avatar
    Join Date
    Jul 2005
    Location
    Hereford
    Posts
    1,419
    Thank Post
    196
    Thanked 249 Times in 122 Posts
    Rep Power
    62
    I have this setup so ICT staff can change passwords and nothing else all using MMC and account delegation.

    Attached is the document I give out to our ICT staff is this the sort of thing you are trying to do??

    File Here

    If so I will dig out the step by step instructions on how to set it up.
    Last edited by ICTNUT; 8th January 2008 at 01:02 PM. Reason: Attachment not right

  7. #7

    Join Date
    Nov 2007
    Posts
    554
    Thank Post
    3
    Thanked 3 Times in 3 Posts
    Rep Power
    16
    Using the delegate control thing on one test user and two test OUs.
    Ive given the user password changing options on one OU, and using the advanced view in AD, changed the permissions on the other to deny everything.
    Yet the user can still do everything in both OUs!?

  8. #8

    Join Date
    Nov 2007
    Posts
    554
    Thank Post
    3
    Thanked 3 Times in 3 Posts
    Rep Power
    16
    Ah ha!
    Ive managed to hide the OU by disabling the security permissions from inheriting from above.
    Then removing all references to the test user, then re-adding the deny permission.

    Im a little bit hesitant about applying the same technique to every folder in AD that i want to restrict though. Will it not cause problems?

  9. #9
    ICTNUT's Avatar
    Join Date
    Jul 2005
    Location
    Hereford
    Posts
    1,419
    Thank Post
    196
    Thanked 249 Times in 122 Posts
    Rep Power
    62
    It all depends on what permissions the user has within AD, the way to get round this is to create a security group in AD i.e. ICT_Staff_PWD_Chg, use the account delegation wizard to allow this group only to change user passwords.

    This way you can just add and remove users as you need without having to modify thier permissions.

    This is how I have it setup and works fine.

  10. #10
    ICTNUT's Avatar
    Join Date
    Jul 2005
    Location
    Hereford
    Posts
    1,419
    Thank Post
    196
    Thanked 249 Times in 122 Posts
    Rep Power
    62
    You may also want to take a look at creating custom MMC's or taskpads:

    http://www.petri.co.il/create_taskpa...operations.htm

    And how to roll out custom adminpak.msi installations thus restricting what can be accessed further:

    http://www.petri.co.il/extract_speci...minpak_msi.htm

  11. #11

    Join Date
    Nov 2007
    Posts
    554
    Thank Post
    3
    Thanked 3 Times in 3 Posts
    Rep Power
    16
    Quote Originally Posted by ICTNUT View Post
    It all depends on what permissions the user has within AD, the way to get round this is to create a security group in AD i.e. ICT_Staff_PWD_Chg, use the account delegation wizard to allow this group only to change user passwords.

    This way you can just add and remove users as you need without having to modify thier permissions.

    This is how I have it setup and works fine.
    Thats what i would do.
    But just focusing on the test user, its still allowing read/write access to everything else, even though in the delegation wizard thing i selected only password changing.

    The way ive found to do what i want, is to remove inherit permissions from an OU, then remove the references to the test user, then re-add a deny full control. This removes that OU from the MMC when that user uses it.

    Im hesitant to do this to all but the pupil OUs for fear of messing something up. For example, do the permissions for delegation (in regards to OU security), affect anything else but MMC access to those parts?

    I dont want to spend 20mins denying the staff group access to everything in AD apart from the pupils OU, only to find that it messes up their ability to log on, print, access share, access programs, etc;

  12. #12
    ICTNUT's Avatar
    Join Date
    Jul 2005
    Location
    Hereford
    Posts
    1,419
    Thank Post
    196
    Thanked 249 Times in 122 Posts
    Rep Power
    62
    What security rights do your staff have, mine are mere Domain Users thats it.

    As a domain user there is little that you can do within ADUC anyhow.

    I created a custom MMC and rolled that out to ICT IWB PC's without any problems, and although the options to disable accounts, delete accounts etc... still appear when you right click, selecting them gives you an access denied error.

    If your staff have custom security permissions or are higher than mere domain users this could be the reason why they are still able to do the things you don't want.

    Editing the folder permissions will have a knock on effect with other areas of AD hence the custom security group, and no having to edit permissions directly.

  13. #13

    Join Date
    Nov 2007
    Posts
    554
    Thank Post
    3
    Thanked 3 Times in 3 Posts
    Rep Power
    16
    That little custom MMC program looks ideal.
    Im trying to follow that guide, but its still showing me the entire AD in my custom MMC..

  14. #14

    Join Date
    Nov 2007
    Posts
    554
    Thank Post
    3
    Thanked 3 Times in 3 Posts
    Rep Power
    16
    So i need to create commands and task views for every OU for the pupils!?

  15. #15
    ICTNUT's Avatar
    Join Date
    Jul 2005
    Location
    Hereford
    Posts
    1,419
    Thank Post
    196
    Thanked 249 Times in 122 Posts
    Rep Power
    62
    I have my AD setup as follows:

    Domain
    |
    Students OU
    |
    Year 7 OU
    Year 8 OU
    Year 9 OU
    Year 10 OU
    Year 11 OU
    Year 12 OU
    Year 13 OU

    All my year OU's are within the Student OU

    I then simply create the view pointing to the Students OU and INCLUDE all sub OU's thus eliminating the need to do per OU

    If your setup is like this:

    Domain
    |
    Year 7
    |
    Year 8
    |
    ETC

    Where each year is it's own top level OU then yes would would need to select each OU on by one.
    Last edited by ICTNUT; 8th January 2008 at 01:54 PM. Reason: Clarification

SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. Restricting Logons
    By Espada in forum Windows
    Replies: 2
    Last Post: 6th December 2007, 05:51 PM
  2. Restricting RIS
    By beast_gts in forum Windows
    Replies: 3
    Last Post: 28th June 2007, 09:26 PM
  3. restricting logical access
    By strawberry in forum Windows
    Replies: 1
    Last Post: 30th April 2007, 09:30 AM
  4. restricting users to only one logon
    By edie209 in forum Windows
    Replies: 17
    Last Post: 11th July 2006, 04:56 PM
  5. Restricting the use of removeable storage - do you?
    By tarquel in forum School ICT Policies
    Replies: 16
    Last Post: 10th July 2005, 04:13 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •