right I'm still not really got to the bottom of this. Ive blocked them out of MMC by the aforementioned method in GP. Ive also audited the group policies they are being applied and there isn't anything I an see that would give them that access in AD.
Ive also tried this with a bunch of the different models of machines we have round school. It seems the AD tools is only installed on a small batch. So Ive got them set to re-image.
But it doesn't address the issue of why they were able to modify AD the first place though..
edit: Further investigation - it seems it is only 1 teacher account that the students are able to modify the name, display name etc etc. Im obviously not able to test every account, but all the main ones they cant modify. Also, they cant change group membership which is good. Question no is why an they change this 1 teacher account?
And also, I dont know why they can see AD at all, or is this just the way AD works that any user account can query AD (via 3rd party tools etc?)
Last edited by RabbieBurns; 13th May 2011 at 09:27 AM.
i chose a random year 5 student that im doing my testing with. Its able to change the diplay name of this teacher and other info, but not modify groups etc
Ok a few things to update this. Ive had one of the students in question down to show me how they were being able to view AD, and this was the method:
Quickly Search Active Directory from the Desktop
How can I block that? Can I disable them from running that exe via GP.
Also, it still doesn't explain why they can change the settings of a teacher, but it seems to be limited to just a single teacher, so I think I might just delete them and recreate them.
Also we are running at 2003 functional level so Im going to ditch the 2003 DCs and upgrade to 2008R2 functional level..
Also, is there a way of removing the ability of non-admins from joining machines to the domain?
Last edited by RabbieBurns; 6th June 2011 at 07:20 AM.
How are they running that command? (e.g through run on the start menu, through a batch file that they created. etc)
Last edited by bart21; 6th June 2011 at 09:58 AM.
jonny_2010 (4th July 2011)
The GPO setting to prevent anyone searching the AD for computer objects, users etc is User Configuration\Administrative Templates\Desktop\Active Directory\Maximum size of Active Directory Searches
Set this to 0.
Hope this helps.
There are currently 1 users browsing this thread. (0 members and 1 guests)