Solved

Restricting domain users

Posted on 2004-10-10
8
226 Views
Last Modified: 2010-04-14
I have a group of users in my Windows 2000 Server domain named COMPANY, who are experts enough to bother with all things.

At the beginning I had them as Domain Admins. Currently I restrict them to Domain Users. What I am actually looking is to give them access as if they were Domain Admins, but DENY them altering TCP/IP properties, gateways, joining other domains, and generally anything that has to do with altering the network thingies as well as registry.

Is there a way of allowing them everything apart from these, and how do I do it?

Thanks
0
Comment
Question by:dinosaurus
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 23

Expert Comment

by:rhandels
ID: 12272203
Hi,

One simple answer, no there isn't.... If you add someone to the admins group and they need to do admin thingies, they will be able to change TCP/IP properties. Only way i can think of is to create a new user group and give them access to the things they need to have.. Maybe (and just maybe), you can add them to the domain admins group (the newly created group) and prevent them from changing these things by using GPO's...

Still, it will be stingy... You cannot give them all those rights and not the right to change TCP/IP settings..
0
 
LVL 1

Expert Comment

by:chandupcs
ID: 12272278
hi,

    Remove them from the Domain admins group and add them to the power users group.

   If that doesn't help then GPO's is the only solution.

0
 
LVL 3

Expert Comment

by:kelo501
ID: 12272924
chandupcs gave you solid advice...

1. Create a new OU and move these elevated users into it.
2. remove them from Domain admins and add them to doamin power users
3. you can applie group policy to the new OU to futher lock down you problemed users.

or
1. create a new "company users" ou and move all domain user accounts to it.  DO NOT MOVE BUILT IN ACCOUNTS OR SERVICE ACCOUNTS.  Just the accounts you have created for employees.

2. then add a GPO to that OU locking the items required.

regards,
kelo501
0
 

Author Comment

by:dinosaurus
ID: 12300365
Some comments:

1. I have no Power User Group in my Microsoft Win Server 2000
2. I am trying to access the Domain Controller Security Policy and the Domain Security Policy but I keep getting the message:

Failed to open the Group Policy object. You may not have the appropriate rights.
The specified domain either does not exist or could not be contacted.

I am trying to access these two shortcuts directly from the PDC, and I am the Administrator (I logged in as Administrator). Could this be happening because some service is not running?

3. What is the OU kelo501 is referring to?

If you have any suggestions for (2) I would be happy to increase the points.
Thanks

0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 

Author Comment

by:dinosaurus
ID: 12562924
Did you quit trying for an answer????
0
 
LVL 23

Expert Comment

by:rhandels
ID: 12582662
Do you have one single domain or multiple domains?? And the machine your loging into, is this a DC or not?? Can you access all files within the server?? DO you see anything strange in event viewer (try restarting the server, normally services that don't start generate events within event viewer..
0
 
LVL 3

Expert Comment

by:kelo501
ID: 12583642
sorry I have been so very busy.....
I is not the points but thank you for the offer.

I still do not have time right now but we post something for you by mid night tonight.

Again sorry,
kelo
0
 
LVL 3

Accepted Solution

by:
kelo501 earned 350 total points
ID: 12600187
ok sorry this has taken so long...

first you do have a power users group.

go to the properties of one of your users, go to the member of tab, click add, click advance, select groups and then find now.  This will list all of your gorups.

it should be "domainname\power users"

2nd,  there is alot to setting up GPO correctly the only resone to do it is the return giving when there done.  I strongly recomend you get a book on 2000 AD.  I personal am a big fan of Microsoft press books, suck as the administrators companion.  But look on the web or at a store to find on that works for you.  You can also find alot of good information on Technet.

OK now if you find the power user group add it to all of your selected users and make sure you remove them from domain admin,  all so make sure they have not added themselves to the local machine addin group.  If thay have remove them.  Once that is done test and see if that is restrictive enough.  I do not belive it will be because power user is designed to allow for the installation of drivers and changing network setting.  Microsoft added a mobile user group in 2003 to somewhat address this gap.  But in 2000 all laptop users should be given Power user so they can install devices away from the office and change their setting to get on line at remote places.  

That being said we are back to Group Police objects.
here is where you should make your changes...  This is free advice...  I hav seen people cause alot of problems with GPO's so p[lease research them first.

Create a new OU and move your users into it.

Then click properties on the OU and go to Group policy tab.
create a new policy call "power user lock down" or what ever you want.
click edit
In the user setting.  This will be the bottom set.
select "local policy"
select "user rights assinment"
on the right side will be a large list of setting you can configure.

you can also use a the "administration" folder to look out addrtional stuff.

Now I do not have this to look at right now so it is from memory and may be off here and there but should get you close enought that you can figure it out.

LAST but very important.
set up a test ou and a test user.  Then test you GPO before you deploy it into production.

Good luck and I hope this helps.
kelo
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Moving applications to the cloud or switching services to cloud-based ones, is a stressful job.  Here's how you can make it easier.
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now