oh god i ask this question in winnetmag.com 4rum and no expert or guru cant help me
Main Topics
Browse All TopicsHelp me to stop Domain Admin to install Software .
Solution may be registry hack or software...help me now
Dont tell me to move user to other group.I must them into Domain Admin Group to run Business Software
--------------
Tx for advices
This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.
Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.
If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.
Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.
Access the answers to your technology questions today.
30-day free trial. Register in 60 seconds.
Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Try it out and discover for yourself.
30-day free trial. Register in 60 seconds.
Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.
That's the rub mate, you can't deny a domain admin access, except Explicitly. Instead of allowing the "domain admin" group in the administrators group of a PC, you'd have to allow Each Domain Admin's account INDIVIDUALLY, instead of using the domain admin group. If you deny access, like using NTFS permission's and you list the individual account (even if the domain admin group is set to allow) and you tell NTFS to DENY, they will be denied.
But if they DL software on their own, and they try to install it, they will be allowed, because you haven't set permissions on that file.
You cannot stop them.
ZoneAlarm can.
You can get the free ZA, and DL it, set a password that only you know. When a new program is trying to access the PC or the internet, ZA will ask for the password, once you've entered the password and allowed the program (if you deny the program no password is necssary) you'll have to open up the ZA interface and select LOGOUT otherwise you'll stay logged in and the user would be able to say YES without the password prompt. Give that a try.
-rich
The problem here is the, excuse me, messy (to put it mildly) "Business Software" you're using, which was obviously written for Win9x.
Find out what additional permissions your users need to run the software, and, for heaven's sake, take them out of the domain admins group. If it's really, really, really necessary, make them *local* admins of their own workstation, but currently, you are offering your *complete* network to basically any worm, virus, trojan or spyware that your users might drag in, not to mention what malicious users can do. Servers and networks with far better security have gone.
Okay, enough ranting.
To find out which permissions are missing where, get FileMon (http://www.sysinternals.c
Log on as a regular user without additional rights. Start FileMon and RegMon using runas and an administrative account. Filter both to log only the application.
Start the application, check for errors. Adjust NTFS or registry (using regedt32) permissions until you can run the software as user.
Another possibility, using only native tools:
Turn on auditing on your machine (local security policy -- auditing policy: turn on auditing for rights usage and object access).
Enable auditing on the usual suspicious folders (using Windows Explorer, folder properties/Security/Advanc
Turn on auditing as well for HKLM\Software (using regedt32).
(Obviously, you only need to audit failures.)
Log on as the user you're auditing; use runas.exe to start the event log (runas /user:administrator "mmc eventvwr.msc"), then start the program.
Look in the security event log for access violations and adjust the necessary rights until the program can be run by the user. (Note: some of the violations there are "normal" and can be ignored. Look especially at the ones related somehow to the program in question.)
If you can't get it to to run under a regular user account, it's probably easier and cheaper to replace the software with something properly functioning than to maybe/probably have to recover from a vandalized network.
I really hope, that you misunderstood the difference between domain and local admins, but ...
You really have a MAJOR SECURITY PROBLEM, and you have to do something radically about it NOW (or maybe better the day before yesterday).
There's 2 kind of admins in a network. Domain admins and Local admins.
Domain admins rules the servers (and in normal environment also all the computers).
Local admins rules each computer, but can't rule the servers.
>"Dont tell me to move user to other group. I must them into Domain Admin Group to run Business Software"
Some buisness software has got the annoying misbehave're that RUNNING it, requires a domain user to be local admin on the computer (there's nothing wrong if the software requires local admins to INSTALL the software).
I deal with this annoying issue on http://www.experts-exchang
MY ADVICE IS THE FOLLOWING:
1. You IMMIDIATELY have to remove domain users group from Domain Admins group on the servers.
2. You IMMIDIATELY have to remove domain users group from Local Admins group on each of your computers.
3. Find out how you buissness software can be run (not installed):
3a. Using Runas:
http://www.experts-exchang
3b. Making the domain user member of the Local admin group, but only on their own computer
members of the local admin group
1. Start / Run
2. Input CMD
3. Press ENTER
4. Input NET LOCALGROUP ADMINISTRATORS
5. Press ENTER
Introduction to LOCAL and DOMAIN user accounts
http://windows.about.com/l
Builtin and predefined groups in Windows 2000 Pro
http://www.microsoft.com/w
Builtin and predefined groups in Windows XP
http://www.microsoft.com/t
Builtin and predefined groups in Windows 2000 Advanced Server
http://www.microsoft.com/w
Many Regards
Jorgen Malmgren
IT-Supervisor
Denmark
:o) Your brain is like a parachute. It works best when it's open
url in 3a should have been
http://www.experts-exchang
Why you should not run your computer as an administrator
http://www.microsoft.com/w
i can understand why your business software would have to be run as a user with local admin rights, i see this all the time, but DOMAIN ADMIN? that seems a little crazy. Id doublecheck with the vendor and make sure that the user just doesn't just need to be in the local admin group,, not the domain admin group,,, b/c if that is the case you might as well just have all your users log in with the domain admin account anyway b/c they can screw up your entire network the way things are, change users passwords,,, delete users etc. VERY unsecure to say the least
Business Accounts
Answer for Membership
by: What90Posted on 2004-05-08 at 04:48:18ID: 11021274
Hi clbitman,
You can't. A Domain Admin has total control over any computer in the Domain they control/manage.
Which means they can install or modify the machines as they please.
The only way to stop that is to remove the computer from the Domain.