OK. from outside Program files I meanOriginally Posted by mounters
Hmm, yes becuase if you stop all exes then you'll have a really useful network?!? What about basic things like winlogon.exe, explorer.exe, winword.exe calc.exe, paint.exe notepad.exe
also, when i tested with a user account, they were able to modify AD, I changed the displayname of a teacher account..
Block it, block it nowwww!
Steve
Surely this is a permissions error?
Whats stopping anyone with an openLDAP client and valid domain credentials logging in and doing the same?
Hopefully, software restriction policies to prevent the running and installation of foreign executables and software
Unless it's being run as local admin. In a weird way.
But yeah without sounding rude, if they can access, C:\, run any exe, Full admin tools, and edit AD etc. Kind of says there's something majorly wrong with the restrictions in place. (If there are any?)
Might be worth checking all the restrictions to see what's missing, as I know you said you took over recently.
Better iron them out in advance, than catching up
Steve
Check what user groups they are in.... Are you sure they aren't domain admins? (yes i've seen schools like that)....
Personally I would take away every group apart from the default users group and start rebuilding.
Hopefully, software restriction policies to prevent the running and installation of foreign executables and softwareYou seem to be implying that it wouldn't be safe to run user owned equipment (iphones,blackberrys,linuxes etc) in an Active Directory environment incase they run a 3rd pary LDAP tool?Unless it's being run as local admin. In a weird way.
But yeah without sounding rude, if they can access, C:\, run any exe, Full admin tools, and edit AD etc. Kind of says there's something majorly wrong with the restrictions in place. (If there are any?)
Might be worth checking all the restrictions to see what's missing, as I know you said you took over recently.
Better iron them out in advance, than catching up
Steve
An openLDAP server (ie a linux Domain server) doesn't suffer from this problem. Is windows insecure? should I ditch AD? or is it a permission error on the AD like I stated ?
Don't know where you read that at all. Not that I mentioned anything at all to do with anything you just said....
(And if you read my post I didn't quote webman anywhere)
I'd also be blocking things in a GPO to stop access to things like CMD and Regedit.
Have you checked make sure they are blocked ?
Sorry I thought the thread was saying that you should lock MMC as it was an unsafe application ?!?
I don't think the problem here is with MMC, CMD or regedit - they need not be restricted because the permission on AD should be enough to stop users changing names etc on other people accounts!
@Steve21 they are running local profiles here with documents and desktop redirected to their server (win7/8r2), how will restricting access to C: effect local profiles?
@CyberNerd makes sense. where would I look about access to AD? The students are only members of a students group, domain users, and a graduating year group. How would I audit if they have anyone has any special permissions? They're obviously not domain admins or anything like that..
I'm guessing security settings in ADSIEdit. I couldn't tell you what to set though....@CyberNerd makes sense. where would I look about access to AD? The students are only members of a students group, domain users, and a graduating year group. How would I audit if they have anyone has any special permissions? They're obviously not domain admins or anything like that..
Actually, when you changed the display name... Was that in a AD users and computers that you brought up on the client machine or was that in something like "search -> Users and computers"?
was within the mmc with the ad snapin added
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
LinkBack URL
About LinkBacks
