+ Post New Thread
Page 2 of 4 FirstFirst 1234 LastLast
Results 16 to 30 of 54
Windows Thread, !! students have access to active directory, everything !! in Technical; Originally Posted by mounters Hmm, yes becuase if you stop all exes then you'll have a really useful network?!? What ...
  1. #16
    NikChillin's Avatar
    Join Date
    Nov 2007
    Location
    on the sofa
    Posts
    931
    Thank Post
    59
    Thanked 122 Times in 86 Posts
    Rep Power
    85
    Quote Originally Posted by mounters View Post
    Hmm, yes becuase if you stop all exes then you'll have a really useful network?!? What about basic things like winlogon.exe, explorer.exe, winword.exe calc.exe, paint.exe notepad.exe
    OK. from outside Program files I mean

  2. #17

    RabbieBurns's Avatar
    Join Date
    Apr 2008
    Location
    Sydney
    Posts
    5,512
    Thank Post
    1,320
    Thanked 469 Times in 306 Posts
    Blog Entries
    6
    Rep Power
    199
    Quote Originally Posted by ChrisMiles View Post
    You'd be supprised what you can do with just domain user permissions. Users can, for example, edit certain fields on their own AD user, which is pretty annoying. However, when it comes to MMC stuff, they obviously don't have permissions to modify anything, they can, however, view almost anything, however, one question does present itself: Why do you have the AD management tools installed on the student computers in the first place?

    Anyway, regardless of what MMC snapins you deny, they can still use VBScripts or powershell to access data on pretty much anything if they really wanted to.
    also, when i tested with a user account, they were able to modify AD, I changed the displayname of a teacher account..

  3. #18

    Steve21's Avatar
    Join Date
    Feb 2011
    Location
    Swindon
    Posts
    2,689
    Thank Post
    334
    Thanked 515 Times in 483 Posts
    Rep Power
    179
    Quote Originally Posted by RabbieBurns View Post
    all of the above are blcoked, but they still have access to the C: drive (which im trying to have blocked too... red tape...)
    Block it, block it nowwww!

    Steve

  4. #19


    Join Date
    Jan 2006
    Posts
    8,202
    Thank Post
    442
    Thanked 1,032 Times in 812 Posts
    Rep Power
    339
    Quote Originally Posted by RabbieBurns View Post
    also, when i tested with a user account, they were able to modify AD, I changed the displayname of a teacher account..
    Surely this is a permissions error?
    Whats stopping anyone with an openLDAP client and valid domain credentials logging in and doing the same?

  5. #20

    webman's Avatar
    Join Date
    Nov 2005
    Location
    North East England
    Posts
    8,403
    Thank Post
    637
    Thanked 961 Times in 661 Posts
    Blog Entries
    2
    Rep Power
    319
    Quote Originally Posted by CyberNerd View Post
    Whats stopping anyone with an openLDAP client and valid domain credentials logging in and doing the same?
    Hopefully, software restriction policies to prevent the running and installation of foreign executables and software

  6. #21

    Steve21's Avatar
    Join Date
    Feb 2011
    Location
    Swindon
    Posts
    2,689
    Thank Post
    334
    Thanked 515 Times in 483 Posts
    Rep Power
    179
    Quote Originally Posted by CyberNerd View Post
    Surely this is a permissions error?
    Whats stopping anyone with an openLDAP client and valid domain credentials logging in and doing the same?
    Unless it's being run as local admin. In a weird way.

    But yeah without sounding rude, if they can access, C:\, run any exe, Full admin tools, and edit AD etc. Kind of says there's something majorly wrong with the restrictions in place. (If there are any?)

    Might be worth checking all the restrictions to see what's missing, as I know you said you took over recently.

    Better iron them out in advance, than catching up

    Steve

  7. #22
    p858snake's Avatar
    Join Date
    Dec 2008
    Location
    Queensland
    Posts
    1,490
    Thank Post
    37
    Thanked 175 Times in 151 Posts
    Blog Entries
    2
    Rep Power
    51
    Quote Originally Posted by RabbieBurns View Post
    also, when i tested with a user account, they were able to modify AD, I changed the displayname of a teacher account..
    Check what user groups they are in.... Are you sure they aren't domain admins? (yes i've seen schools like that)....

    Personally I would take away every group apart from the default users group and start rebuilding.

  8. #23


    Join Date
    Jan 2006
    Posts
    8,202
    Thank Post
    442
    Thanked 1,032 Times in 812 Posts
    Rep Power
    339
    Quote Originally Posted by webman View Post
    Hopefully, software restriction policies to prevent the running and installation of foreign executables and software
    Quote Originally Posted by Steve21 View Post
    Unless it's being run as local admin. In a weird way.

    But yeah without sounding rude, if they can access, C:\, run any exe, Full admin tools, and edit AD etc. Kind of says there's something majorly wrong with the restrictions in place. (If there are any?)

    Might be worth checking all the restrictions to see what's missing, as I know you said you took over recently.

    Better iron them out in advance, than catching up

    Steve
    You seem to be implying that it wouldn't be safe to run user owned equipment (iphones,blackberrys,linuxes etc) in an Active Directory environment incase they run a 3rd pary LDAP tool?
    An openLDAP server (ie a linux Domain server) doesn't suffer from this problem. Is windows insecure? should I ditch AD? or is it a permission error on the AD like I stated ?

  9. #24

    Steve21's Avatar
    Join Date
    Feb 2011
    Location
    Swindon
    Posts
    2,689
    Thank Post
    334
    Thanked 515 Times in 483 Posts
    Rep Power
    179
    Quote Originally Posted by CyberNerd View Post
    You seem to be implying that it wouldn't be safe to run user owned equipment (iphones,blackberrys,linuxes etc) in an Active Directory environment incase they run a 3rd pary LDAP tool?
    An openLDAP server (ie a linux Domain server) doesn't suffer from this problem. Is windows insecure? should I ditch AD? or is it a permission error on the AD like I stated ?
    Don't know where you read that at all. Not that I mentioned anything at all to do with anything you just said....
    (And if you read my post I didn't quote webman anywhere)

  10. #25
    cpjitservices's Avatar
    Join Date
    Jul 2010
    Location
    Hessle
    Posts
    2,421
    Thank Post
    508
    Thanked 282 Times in 258 Posts
    Rep Power
    81
    I'd also be blocking things in a GPO to stop access to things like CMD and Regedit.

    Have you checked make sure they are blocked ?

  11. #26


    Join Date
    Jan 2006
    Posts
    8,202
    Thank Post
    442
    Thanked 1,032 Times in 812 Posts
    Rep Power
    339
    Quote Originally Posted by Steve21 View Post
    Don't know where you read that at all. Not that I mentioned anything at all to do with anything you just said....
    (And if you read my post I didn't quote webman anywhere)
    Sorry I thought the thread was saying that you should lock MMC as it was an unsafe application ?!?
    I don't think the problem here is with MMC, CMD or regedit - they need not be restricted because the permission on AD should be enough to stop users changing names etc on other people accounts!

  12. #27

    RabbieBurns's Avatar
    Join Date
    Apr 2008
    Location
    Sydney
    Posts
    5,512
    Thank Post
    1,320
    Thanked 469 Times in 306 Posts
    Blog Entries
    6
    Rep Power
    199
    @Steve21 they are running local profiles here with documents and desktop redirected to their server (win7/8r2), how will restricting access to C: effect local profiles?

    @CyberNerd makes sense. where would I look about access to AD? The students are only members of a students group, domain users, and a graduating year group. How would I audit if they have anyone has any special permissions? They're obviously not domain admins or anything like that..

  13. #28


    Join Date
    Jan 2006
    Posts
    8,202
    Thank Post
    442
    Thanked 1,032 Times in 812 Posts
    Rep Power
    339
    @CyberNerd makes sense. where would I look about access to AD? The students are only members of a students group, domain users, and a graduating year group. How would I audit if they have anyone has any special permissions? They're obviously not domain admins or anything like that..
    I'm guessing security settings in ADSIEdit. I couldn't tell you what to set though....

  14. #29
    p858snake's Avatar
    Join Date
    Dec 2008
    Location
    Queensland
    Posts
    1,490
    Thank Post
    37
    Thanked 175 Times in 151 Posts
    Blog Entries
    2
    Rep Power
    51
    Actually, when you changed the display name... Was that in a AD users and computers that you brought up on the client machine or was that in something like "search -> Users and computers"?

  15. #30

    RabbieBurns's Avatar
    Join Date
    Apr 2008
    Location
    Sydney
    Posts
    5,512
    Thank Post
    1,320
    Thanked 469 Times in 306 Posts
    Blog Entries
    6
    Rep Power
    199
    was within the mmc with the ad snapin added

SHARE:
+ Post New Thread
Page 2 of 4 FirstFirst 1234 LastLast

Similar Threads

  1. Replies: 6
    Last Post: 31st May 2011, 08:05 AM
  2. Icon Transparency using Active Directory and Active Desktop Backgrounds
    By steveo2000 in forum Windows Server 2000/2003
    Replies: 2
    Last Post: 19th May 2010, 09:50 AM
  3. Replies: 7
    Last Post: 31st January 2008, 12:17 PM
  4. Teacher wants to access active directory...
    By Olumite in forum Network and Classroom Management
    Replies: 31
    Last Post: 8th October 2007, 12:05 PM
  5. Replies: 4
    Last Post: 10th November 2006, 11:28 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •