OK. from outside Program files I meanQuote:
Originally Posted by mounters
Printable View
OK. from outside Program files I meanQuote:
Originally Posted by mounters
also, when i tested with a user account, they were able to modify AD, I changed the displayname of a teacher account..Quote:
Originally Posted by ChrisMiles
Block it, block it nowwww! :DQuote:
Originally Posted by RabbieBurns
Steve
Surely this is a permissions error?Quote:
Originally Posted by RabbieBurns
Whats stopping anyone with an openLDAP client and valid domain credentials logging in and doing the same?
Hopefully, software restriction policies to prevent the running and installation of foreign executables and software :)Quote:
Originally Posted by CyberNerd
Unless it's being run as local admin. In a weird way.Quote:
Originally Posted by CyberNerd
But yeah without sounding rude, if they can access, C:\, run any exe, Full admin tools, and edit AD etc. Kind of says there's something majorly wrong with the restrictions in place. (If there are any?)
Might be worth checking all the restrictions to see what's missing, as I know you said you took over recently.
Better iron them out in advance, than catching up :D
Steve
Check what user groups they are in.... Are you sure they aren't domain admins? (yes i've seen schools like that)....Quote:
Originally Posted by RabbieBurns
Personally I would take away every group apart from the default users group and start rebuilding.
Quote:
Originally Posted by webman
You seem to be implying that it wouldn't be safe to run user owned equipment (iphones,blackberrys,linuxes etc) in an Active Directory environment incase they run a 3rd pary LDAP tool?Quote:
Originally Posted by Steve21
An openLDAP server (ie a linux Domain server) doesn't suffer from this problem. Is windows insecure? should I ditch AD? or is it a permission error on the AD like I stated ?
Don't know where you read that at all. Not that I mentioned anything at all to do with anything you just said....Quote:
Originally Posted by CyberNerd
(And if you read my post I didn't quote webman anywhere)
I'd also be blocking things in a GPO to stop access to things like CMD and Regedit.
Have you checked make sure they are blocked ?
Sorry I thought the thread was saying that you should lock MMC as it was an unsafe application ?!?Quote:
Originally Posted by Steve21
I don't think the problem here is with MMC, CMD or regedit - they need not be restricted because the permission on AD should be enough to stop users changing names etc on other people accounts!
@Steve21 they are running local profiles here with documents and desktop redirected to their server (win7/8r2), how will restricting access to C: effect local profiles?
@CyberNerd makes sense. where would I look about access to AD? The students are only members of a students group, domain users, and a graduating year group. How would I audit if they have anyone has any special permissions? They're obviously not domain admins or anything like that..
I'm guessing security settings in ADSIEdit. I couldn't tell you what to set though....Quote:
@CyberNerd makes sense. where would I look about access to AD? The students are only members of a students group, domain users, and a graduating year group. How would I audit if they have anyone has any special permissions? They're obviously not domain admins or anything like that..
Actually, when you changed the display name... Was that in a AD users and computers that you brought up on the client machine or was that in something like "search -> Users and computers"?
was within the mmc with the ad snapin added