Is there a way to restrict what parts of MMC users can access?
I do have a GPO in place that stops people accessing things like DNS/DHCP/whatnot, but i still allow teachers access to the AD for users so they can edit passwords. Is there a way to make restrictions within that as well though?
Thanks in advance all. :).
Depends what you're trying to accumplish. If you want teachers to have access to change things in AD, then resticting MMC won't be of much use to use - you can restict what snapins they can load, whether they can edit within it or not, but after that, it's a free-for-all.
It sounds like you need to look into delegating AD control.
A good starting point: http://www.microsoft.com/downloads/d...DisplayLang=en
What i want to do is restrict what parts of users and computers they can access, and what they can and cant do.
For example, at the moment, they have full access to users and computers. So they can move things around, change passwords for anyone, etc;
I want to restrict it so that they can only change passwords for users in certain OUs. So that things in other OUs, and other functions, are denyed to them.
Definately want to looking into AD delegation then :) Exactly what it does.
Take a look at that MS documents & http://www.windowsecurity.com/articl...istration.html to get an idea.
Ive looked at that, and some other google articles.
All that appears to allow me to do is allow users to do things.
Theres no deny/hide functions in there.
I want staff to be only able to see the pupil OUs, and only be able to change passwords in it. Nothing else.
Every other OU, and functions like move/new/etc; i want to remove access to.
I have this setup so ICT staff can change passwords and nothing else all using MMC and account delegation.
Attached is the document I give out to our ICT staff is this the sort of thing you are trying to do??
If so I will dig out the step by step instructions on how to set it up.
Using the delegate control thing on one test user and two test OUs.
Ive given the user password changing options on one OU, and using the advanced view in AD, changed the permissions on the other to deny everything.
Yet the user can still do everything in both OUs!?
Ive managed to hide the OU by disabling the security permissions from inheriting from above.
Then removing all references to the test user, then re-adding the deny permission.
Im a little bit hesitant about applying the same technique to every folder in AD that i want to restrict though. Will it not cause problems?
It all depends on what permissions the user has within AD, the way to get round this is to create a security group in AD i.e. ICT_Staff_PWD_Chg, use the account delegation wizard to allow this group only to change user passwords.
This way you can just add and remove users as you need without having to modify thier permissions.
This is how I have it setup and works fine.
You may also want to take a look at creating custom MMC's or taskpads:
And how to roll out custom adminpak.msi installations thus restricting what can be accessed further:
Thats what i would do.
Originally Posted by ICTNUT
But just focusing on the test user, its still allowing read/write access to everything else, even though in the delegation wizard thing i selected only password changing.
The way ive found to do what i want, is to remove inherit permissions from an OU, then remove the references to the test user, then re-add a deny full control. This removes that OU from the MMC when that user uses it.
Im hesitant to do this to all but the pupil OUs for fear of messing something up. For example, do the permissions for delegation (in regards to OU security), affect anything else but MMC access to those parts?
I dont want to spend 20mins denying the staff group access to everything in AD apart from the pupils OU, only to find that it messes up their ability to log on, print, access share, access programs, etc;
What security rights do your staff have, mine are mere Domain Users thats it.
As a domain user there is little that you can do within ADUC anyhow.
I created a custom MMC and rolled that out to ICT IWB PC's without any problems, and although the options to disable accounts, delete accounts etc... still appear when you right click, selecting them gives you an access denied error.
If your staff have custom security permissions or are higher than mere domain users this could be the reason why they are still able to do the things you don't want.
Editing the folder permissions will have a knock on effect with other areas of AD hence the custom security group, and no having to edit permissions directly.
That little custom MMC program looks ideal.
Im trying to follow that guide, but its still showing me the entire AD in my custom MMC.:(.
So i need to create commands and task views for every OU for the pupils!?:confused:
I have my AD setup as follows:
Year 7 OU
Year 8 OU
Year 9 OU
Year 10 OU
Year 11 OU
Year 12 OU
Year 13 OU
All my year OU's are within the Student OU
I then simply create the view pointing to the Students OU and INCLUDE all sub OU's thus eliminating the need to do per OU
If your setup is like this:
Where each year is it's own top level OU then yes would would need to select each OU on by one.