Solved

How do I lock down the domain when the main application requires adminstrator priviledges

Posted on 2006-06-13
4
269 Views
Last Modified: 2010-04-19
I'm working on setting up a small SBS2003 domain.  The company is migrating from a Windows 2000 Workgroup.  The main reason for doing this was to better secure the workstations so the employees aren't always screwing them up.  Well today I found that their main business application will not run without adminstrator priviledges, so I guess I'm going to have to give every employee and Adminstrative account.  How in the world can I lock this network down?  I was hoping, to keep the employees from being able to install applications, keep them from downloading anything off the internet, turn off Active X controls, turn off the Run dialog, Turn off the control Panel, etc. etc.  I was hoping to do all this with Group Policy, but now that this dilemma has come up I'm at a loss.  Can I still make these employees Adminstrators and achieve this type of security?  This is very time sensitive so I appreciate your help.
0
Comment
Question by:jb1013
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 7

Accepted Solution

by:
Zadkin earned 250 total points
ID: 16900257
Making users local admin is standard, Jeff mentioned a locking down reference : http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/rstrplcy.mspx
0
 
LVL 74

Assisted Solution

by:Jeffrey Kane - TechSoEasy
Jeffrey Kane - TechSoEasy earned 250 total points
ID: 16900889
While it is the standard to have users be in the local administrators group of a workstation, and while I tend to not be too worried about that as long as the Software Restriction policies are in place per the above link, there are SOME situations that you need even more of a lockdown.

You should realize that it's not your network that needs the lockdown, but the local machines... these are two very different things... because standard users do not have broad rights over the network.  If you impose a group policy, it will always override ANY local policies on the machine... so if you don't want access to the control panel, just create a group policy that restricts that... even if the user has local admin rights, your policy will prevail.

Please review http://sbsurl.com/add to see how you can further secure the workstations.  Also, there are a number of work-arounds for various software which requires local admin privs.  See http://threatcode.com for info.  (This is a site created by those who are strong proponents of keeping users out of any admin group).

Jeff
TechSoEasy
0
 
LVL 1

Author Comment

by:jb1013
ID: 16906063
Thanks guys.  So I think I have the local admin thing figured out.  I've got all the employees that need to be able to use this application in a domain security group and then added that security group to the Local Admin group on each machine that will be running the application.  That seems to work.  I did have to change the NTFS permissions on the database to allow Authenticated Users to Modify but the application is working now.

Now I'm having some problems getting Group Policy setup.  I starting a new thread if you think you can help I would appreciate it.

http://www.experts-exchange.com/Operating_Systems/SBS_Small_Business_Server/Q_21886649.html
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 16908091
Yep, that'll work, because as you will note the Domain Admins group is a member of the local administrators group and that's how you are able to get things to work on the machines.

You probably could have used that same group for your NTFS permissions as well.

Jeff
TechSoEasy
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I’m often asked about newer and larger USB drives connected to SBS2008 and 2011 failing Windows Server Backup vs the older USB drives not failing. As disk space continues to grow and drive technology change SBS2008 and some SBS2011 end up with the f…
A quick step-by-step overview of installing and configuring Carbonite Server Backup.
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…
In this video you will find out how to export Office 365 mailboxes using the built in eDiscovery tool. Bear in mind that although this method might be useful in some cases, using PST files as Office 365 backup is troublesome in a long run (more on t…

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question