?
Solved

re-configure AD

Posted on 2007-03-26
14
Medium Priority
?
186 Views
Last Modified: 2010-08-05
I had this question posted on the forum last week:
rrajani wrote:
"have a single server with DC and exchange 03 on it......60 users.........is there a way i can stop the users from installing softwares, modifying outlook on their local machines......all 60 users are on xp pro.....they are member of domain admins and domain users.......if i remove them from domain admins will it solve my purpose ?...."

mattyfonz replied:
They are all members of Domain Admins?!
ill refrain from screaming with horror and just say that it would be a VERY good idea to remove them all from that group immediately.
Use group policy to lock down the client workstations. have them part of the domain users group should be fine for desktops as they will be part of the users group on the local machines and not be able to install software by default unless you give them specific permissions to do so. what exactly are you trying to prevent them from doing?

rrajani wrote:
ex admin had configured the AD and the way he had setup is, we have
one domain "abc.local" and  
one OU 'abc users'
one container 'computers'
All the 60 users are member of domain users & domain admins.
We have several group created and all groups are of type 'security' and scope 'global'
group1 : _abc (all users are member of this grp)
group2 : _warehouse managers (all whse managers are member of this group)
group3 : _accounting (all accounting staff are members of this grp)
group4 : _inside sales (all inside sales people are members of this grp)
.........and so on.....

What we basically need to accomplish is,
1. nobody should be able to play around with their outlook once their account is setup on their box
2. nobody should be able to install and uninstall software/hardware on their box
.........etc........
We have 50/50 workforce.......50% are executives who kind of are little computer savvy and they understand , but other 50% are wharehouse guys who are nuts......

we do not have any group policies setup yet.......pls advice.............
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
New question as of today:
I removed the users from domain admins group.....all the users were not able to open the programs which were installed on their computers....i believe that is because these programs were isntalled after they were made the member of domain admins and now if you remove them from domain admins group......the programs started giving errors........

what is my best way to re-configure AD....looking at the present scenario.......



0
Comment
Question by:rrajani
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 7
14 Comments
 
LVL 38

Expert Comment

by:Shift-3
ID: 18794295
Try making the INTERACTIVE user a member of the Power Users group on the workstations.  See if this allows the programs to run.

If not, what specific programs aren't working?  Try running a utility like Process Monitor to determine which files and registry keys the users need access to, then grant access to just those specific items.
http://www.microsoft.com/technet/sysinternals/utilities/processmonitor.mspx
0
 

Author Comment

by:rrajani
ID: 18794514
For now i have come across only 3 programs which were not working.......

UPS worlship
Peachtree
Symantec Procomm Plus (which is used to connect to Unix server).......

I will try power users option and let you know......if i make them as power users on local machines, will they able to install softwares ?......in which way power users is different then being member of domain admin group ?...

0
 
LVL 38

Expert Comment

by:Shift-3
ID: 18794562
Here is more information on the built-in groups:
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/windows_security_default_settings.mspx

Power users can "Install programs that do not modify operating system files or install system services".  This is not an ideal situation but is much better than making all users administrators.

Granting users permission to the specific files and registry keys they need is the best solution.
0
Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

 

Author Comment

by:rrajani
ID: 18794964
i used the power users option on 1 user to test out and it seems like it is working......i will be monitoring for couple days and will let you know...

if i need to try the second option of running process monitor utility......do i need to run on each individual uers computers (xp pro)........?
0
 
LVL 38

Expert Comment

by:Shift-3
ID: 18795044
Log on as a user who is not in the Power Users group.  Run Process Monitor and then run one of the problem programs.  Look for ACCESS DENIED entries to see what files and keys the users need permission to.
0
 

Author Comment

by:rrajani
ID: 18795133
At present all the users are

1. on server - memeber of domain admins and domain users
2. on individual computers - member of administrator group

So my steps to try out on user abc will be:
1. remove abc from domain admin on server
2. log on to his computer as a member of admin grp and run process monitor, after giving access
3. change the user on local machine to belong to user group ?

Pls advice........
0
 
LVL 38

Expert Comment

by:Shift-3
ID: 18795352
Steps 1 and 3 are good.  Step 2 is a little off though.  User abc should just have basic user rights on the workstation.  Here's the way it should go:

1. Remove user abc from the Domain Admins group in Active Directory Users and Computers on the server.
2. Remove user abc (and any groups he/she belongs to) from the Administrators and Power Users groups on the workstation.
3. Log onto the workstation as user abc.
4. Run Process Monitor.  It sits in the background and watches to see what files and registry keys are being accessed.
5. Run one of the problem programs.  You should get an error.
6. As soon as you get the error, stop capturing in Process Monitor by clicking the magnifying glass button on the toolbar.
7. Sift through the entries to see what files and registry keys the user was unable to access.
8. Grant Domain Users permission to access those files and keys.  They should then be able to run the program without being in the Administrators or Power Users groups.
0
 

Author Comment

by:rrajani
ID: 18795663
we have 60 users......if 8 steps works then....i have to run procmon.exe on all boxes.....right ?....
0
 
LVL 38

Assisted Solution

by:Shift-3
Shift-3 earned 1000 total points
ID: 18795712
No.  Do steps 1 and 2 for all non-administrative users.  Do steps 3-7 one time.  Do step 8 on all the boxes.  This could be automated with a script using the CACLS command.
http://www.ss64.com/nt/cacls.html
0
 

Author Comment

by:rrajani
ID: 18795998
You mean, do steps 1 & 2 for administrator users, right ?.....I haven't used procmon.exe before so it is kind of hard for me to understand......so please bear with me.........without running steps 3-7 how can you run step 8 ?
0
 

Author Comment

by:rrajani
ID: 18796006
all 60 users are member of domain admins on AD and belongs to administrator group on local boxes.......
0
 
LVL 38

Accepted Solution

by:
Shift-3 earned 1000 total points
ID: 18796056
Do steps 1 and 2 for all users who are currently in the Domain Admins group but who do not actually require those privileges to administer the network on a daily basis.

Steps 3-7 will tell you what files and keys the users require access to in order to run the programs.  These will be the same for all users, so you only have to do this part once.  Once you know which files and keys are required, grant all users the access to them.

If you are uncomfortable with these procedures then it would be simplest just to add the INTERACTIVE account to the Power Users group on all workstations.  This is a straightforward solution which does not compromise security too badly.
0
 

Author Comment

by:rrajani
ID: 18818176
I performed step 1,2,3 and when i run step 4 it tells me that user does not has administrator rights to run procmon.exe

user abc is domain user and that user is not created on the local machine..........do i have to add user 'abc' on local machine and under domain i have to add main server domain or local computer domain ?.......
0
 
LVL 38

Expert Comment

by:Shift-3
ID: 18818308
Ah.  Log onto the workstation as the domain user abc and then right-click Procmon (or you might have to Shift-right click), select Run As, and log on as administrator.  That should allow you to run Procmon but still monitor events from the user.
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A hard and fast method for reducing Active Directory Administrators members.
Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

719 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question