+ Post New Thread
Page 4 of 4 FirstFirst 1234
Results 46 to 54 of 54
Windows Thread, !! students have access to active directory, everything !! in Technical; right I'm still not really got to the bottom of this. Ive blocked them out of MMC by the aforementioned ...
  1. #46

    RabbieBurns's Avatar
    Join Date
    Apr 2008
    Location
    Sydney
    Posts
    5,525
    Thank Post
    1,339
    Thanked 470 Times in 307 Posts
    Blog Entries
    6
    Rep Power
    199
    right I'm still not really got to the bottom of this. Ive blocked them out of MMC by the aforementioned method in GP. Ive also audited the group policies they are being applied and there isn't anything I an see that would give them that access in AD.

    Ive also tried this with a bunch of the different models of machines we have round school. It seems the AD tools is only installed on a small batch. So Ive got them set to re-image.

    But it doesn't address the issue of why they were able to modify AD the first place though..

    edit: Further investigation - it seems it is only 1 teacher account that the students are able to modify the name, display name etc etc. Im obviously not able to test every account, but all the main ones they cant modify. Also, they cant change group membership which is good. Question no is why an they change this 1 teacher account?

    And also, I dont know why they can see AD at all, or is this just the way AD works that any user account can query AD (via 3rd party tools etc?)
    Last edited by RabbieBurns; 13th May 2011 at 08:27 AM.

  2. #47

    Steve21's Avatar
    Join Date
    Feb 2011
    Location
    Swindon
    Posts
    2,697
    Thank Post
    335
    Thanked 515 Times in 483 Posts
    Rep Power
    179
    Quote Originally Posted by RabbieBurns View Post
    But it doesn't address the issue of why they were able to modify AD the first place though..
    Is it all students who can access it or only a few? Is it worth creating a new test student, and checking if they get the permissions, or if it's a few users who've added it to themselves accounts?

    Steve

  3. #48

    RabbieBurns's Avatar
    Join Date
    Apr 2008
    Location
    Sydney
    Posts
    5,525
    Thank Post
    1,339
    Thanked 470 Times in 307 Posts
    Blog Entries
    6
    Rep Power
    199
    i chose a random year 5 student that im doing my testing with. Its able to change the diplay name of this teacher and other info, but not modify groups etc

  4. #49

    RabbieBurns's Avatar
    Join Date
    Apr 2008
    Location
    Sydney
    Posts
    5,525
    Thank Post
    1,339
    Thanked 470 Times in 307 Posts
    Blog Entries
    6
    Rep Power
    199
    Ok a few things to update this. Ive had one of the students in question down to show me how they were being able to view AD, and this was the method:

    Quickly Search Active Directory from the Desktop

    How can I block that? Can I disable them from running that exe via GP.

    Also, it still doesn't explain why they can change the settings of a teacher, but it seems to be limited to just a single teacher, so I think I might just delete them and recreate them.

    Also we are running at 2003 functional level so Im going to ditch the 2003 DCs and upgrade to 2008R2 functional level..

    Also, is there a way of removing the ability of non-admins from joining machines to the domain?
    Last edited by RabbieBurns; 6th June 2011 at 06:20 AM.

  5. #50
    p858snake's Avatar
    Join Date
    Dec 2008
    Location
    Queensland
    Posts
    1,490
    Thank Post
    37
    Thanked 175 Times in 151 Posts
    Blog Entries
    2
    Rep Power
    51
    Quote Originally Posted by RabbieBurns View Post
    Also, is there a way of removing the ability of non-admins from joining machines to the domain?
    Yes, it's a gp somewhere, i will look it up later if someone doesn't beat me.

  6. Thanks to p858snake from:

    RabbieBurns (6th June 2011)

  7. #51
    bart21's Avatar
    Join Date
    Aug 2009
    Location
    peterborough
    Posts
    405
    Thank Post
    79
    Thanked 54 Times in 52 Posts
    Rep Power
    20
    @RabbieBurns

    How are they running that command? (e.g through run on the start menu, through a batch file that they created. etc)

    nick
    Last edited by bart21; 6th June 2011 at 08:58 AM.

  8. Thanks to bart21 from:

    jonny_2010 (4th July 2011)

  9. #52

    Join Date
    Jun 2008
    Posts
    718
    Thank Post
    118
    Thanked 64 Times in 52 Posts
    Rep Power
    31
    @RabbieBurns

    The GPO setting to prevent anyone searching the AD for computer objects, users etc is User Configuration\Administrative Templates\Desktop\Active Directory\Maximum size of Active Directory Searches

    Set this to 0.

    Hope this helps.

  10. Thanks to Chuckster from:

    RabbieBurns (6th June 2011)

  11. #53

    RabbieBurns's Avatar
    Join Date
    Apr 2008
    Location
    Sydney
    Posts
    5,525
    Thank Post
    1,339
    Thanked 470 Times in 307 Posts
    Blog Entries
    6
    Rep Power
    199
    Quote Originally Posted by bart21 View Post
    @RabbieBurns

    How are they running that command? (e.g through run on the start menu, through a batch file that they created. etc)

    nick
    the exact way in that webpage by using a shortcut they created

  12. #54

    RabbieBurns's Avatar
    Join Date
    Apr 2008
    Location
    Sydney
    Posts
    5,525
    Thank Post
    1,339
    Thanked 470 Times in 307 Posts
    Blog Entries
    6
    Rep Power
    199
    Quote Originally Posted by Chuckster View Post
    @RabbieBurns

    The GPO setting to prevent anyone searching the AD for computer objects, users etc is User Configuration\Administrative Templates\Desktop\Active Directory\Maximum size of Active Directory Searches

    Set this to 0.

    Hope this helps.
    Found that one just as I was leaving work.. Its enabled now.. Cheers

SHARE:
+ Post New Thread
Page 4 of 4 FirstFirst 1234

Similar Threads

  1. Replies: 6
    Last Post: 31st May 2011, 08:05 AM
  2. Icon Transparency using Active Directory and Active Desktop Backgrounds
    By steveo2000 in forum Windows Server 2000/2003
    Replies: 2
    Last Post: 19th May 2010, 09:50 AM
  3. Replies: 7
    Last Post: 31st January 2008, 12:17 PM
  4. Teacher wants to access active directory...
    By Olumite in forum Network and Classroom Management
    Replies: 31
    Last Post: 8th October 2007, 12:05 PM
  5. Replies: 4
    Last Post: 10th November 2006, 11:28 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •