Windows Thread, !! students have access to active directory, everything !! in Technical; It has been brought to my attention today, that students can get to pretty much all the server admin stuff.
11th May 2011, 08:41 AM #1
!! students have access to active directory, everything !!
It has been brought to my attention today, that students can get to pretty much all the server admin stuff.
They use the mmc.exe program, and then they are able to add snap-ins such as AD, DHCP, printers, pretty much everything.
Im not sure how long this has been going on as Ive not long taken over this network, but how can I stop them from doing this???
11th May 2011, 08:44 AM #2
Create a GPO so they can't run mmc.exe.
11th May 2011, 08:48 AM #3
11th May 2011, 08:49 AM #4
i mean, what do i put in the software restriction policies? where do i get the hash from?
11th May 2011, 08:54 AM #5
Don't use a software restriction policy, go to User Config -> Policies -> ADM templates -> Windows Components -> MMC and configure it all there.
3 Thanks to mounters:
RabbieBurns (11th May 2011), speckytecky (11th May 2011), zag (11th May 2011)
11th May 2011, 08:55 AM #6
It's in User Configuration - > Administrative Templates - > System ->don't run specified Windows applications. Enable that and put mmc.exe in it and away you go
2 Thanks to Tricky_Dicky:
speckytecky (11th May 2011), zag (11th May 2011)
11th May 2011, 08:57 AM #7
Never noticed that before, that's much simpler. Thanks for the info.
Originally Posted by mounters
11th May 2011, 09:01 AM #8
Stop them from running ANY .exe's or you will have no network!
11th May 2011, 09:05 AM #9
Hmm, yes becuase if you stop all exes then you'll have a really useful network?!? What about basic things like winlogon.exe, explorer.exe, winword.exe calc.exe, paint.exe notepad.exe
Originally Posted by NikChillin
11th May 2011, 09:27 AM #10
You'd be supprised what you can do with just domain user permissions. Users can, for example, edit certain fields on their own AD user, which is pretty annoying. However, when it comes to MMC stuff, they obviously don't have permissions to modify anything, they can, however, view almost anything, however, one question does present itself: Why do you have the AD management tools installed on the student computers in the first place?
Anyway, regardless of what MMC snapins you deny, they can still use VBScripts or powershell to access data on pretty much anything if they really wanted to.
11th May 2011, 09:29 AM #11
Out of curiosity, Any reason they can even see the exe's to run?
Originally Posted by RabbieBurns
Aren't all items like "run", control panel, etc etc be locked down in first place? So even if MMC is runnable, there's no way to it.
Just seems a bigger issue that it's accessible, than it's being run :P If that makes sense?
11th May 2011, 09:32 AM #12
ok thats them locked out. Thanks heaps for that.
Is there anything else I should be thinking of about policies for the students a major as this?
11th May 2011, 09:35 AM #13
Well for one, as mentioned above. Why can they even access it as it is? Seems like something's missing/adrift.
Originally Posted by RabbieBurns
11th May 2011, 09:35 AM #14
all of the above are blcoked, but they still have access to the C: drive (which im trying to have blocked too... red tape...)
Originally Posted by Steve21
11th May 2011, 09:36 AM #15
These are just basic windows 7 enterprise installations. The AD pack hasnt been installed seperately.
Originally Posted by ChrisMiles
By NotVeryPC in forum Mac
Last Post: 31st May 2011, 09:05 AM
By steveo2000 in forum Windows Server 2000/2003
Last Post: 19th May 2010, 10:50 AM
Last Post: 31st January 2008, 01:17 PM
By Olumite in forum Network and Classroom Management
Last Post: 8th October 2007, 01:05 PM
By DaveP in forum Windows
Last Post: 10th November 2006, 12:28 PM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)