rrajani
asked on
re-configure AD
I had this question posted on the forum last week:
rrajani wrote:
"have a single server with DC and exchange 03 on it......60 users.........is there a way i can stop the users from installing softwares, modifying outlook on their local machines......all 60 users are on xp pro.....they are member of domain admins and domain users.......if i remove them from domain admins will it solve my purpose ?...."
mattyfonz replied:
They are all members of Domain Admins?!
ill refrain from screaming with horror and just say that it would be a VERY good idea to remove them all from that group immediately.
Use group policy to lock down the client workstations. have them part of the domain users group should be fine for desktops as they will be part of the users group on the local machines and not be able to install software by default unless you give them specific permissions to do so. what exactly are you trying to prevent them from doing?
rrajani wrote:
ex admin had configured the AD and the way he had setup is, we have
one domain "abc.local" and
one OU 'abc users'
one container 'computers'
All the 60 users are member of domain users & domain admins.
We have several group created and all groups are of type 'security' and scope 'global'
group1 : _abc (all users are member of this grp)
group2 : _warehouse managers (all whse managers are member of this group)
group3 : _accounting (all accounting staff are members of this grp)
group4 : _inside sales (all inside sales people are members of this grp)
.........and so on.....
What we basically need to accomplish is,
1. nobody should be able to play around with their outlook once their account is setup on their box
2. nobody should be able to install and uninstall software/hardware on their box
.........etc........
We have 50/50 workforce.......50% are executives who kind of are little computer savvy and they understand , but other 50% are wharehouse guys who are nuts......
we do not have any group policies setup yet.......pls advice.............
--------------------------
New question as of today:
I removed the users from domain admins group.....all the users were not able to open the programs which were installed on their computers....i believe that is because these programs were isntalled after they were made the member of domain admins and now if you remove them from domain admins group......the programs started giving errors........
what is my best way to re-configure AD....looking at the present scenario.......
rrajani wrote:
"have a single server with DC and exchange 03 on it......60 users.........is there a way i can stop the users from installing softwares, modifying outlook on their local machines......all 60 users are on xp pro.....they are member of domain admins and domain users.......if i remove them from domain admins will it solve my purpose ?...."
mattyfonz replied:
They are all members of Domain Admins?!
ill refrain from screaming with horror and just say that it would be a VERY good idea to remove them all from that group immediately.
Use group policy to lock down the client workstations. have them part of the domain users group should be fine for desktops as they will be part of the users group on the local machines and not be able to install software by default unless you give them specific permissions to do so. what exactly are you trying to prevent them from doing?
rrajani wrote:
ex admin had configured the AD and the way he had setup is, we have
one domain "abc.local" and
one OU 'abc users'
one container 'computers'
All the 60 users are member of domain users & domain admins.
We have several group created and all groups are of type 'security' and scope 'global'
group1 : _abc (all users are member of this grp)
group2 : _warehouse managers (all whse managers are member of this group)
group3 : _accounting (all accounting staff are members of this grp)
group4 : _inside sales (all inside sales people are members of this grp)
.........and so on.....
What we basically need to accomplish is,
1. nobody should be able to play around with their outlook once their account is setup on their box
2. nobody should be able to install and uninstall software/hardware on their box
.........etc........
We have 50/50 workforce.......50% are executives who kind of are little computer savvy and they understand , but other 50% are wharehouse guys who are nuts......
we do not have any group policies setup yet.......pls advice.............
--------------------------
New question as of today:
I removed the users from domain admins group.....all the users were not able to open the programs which were installed on their computers....i believe that is because these programs were isntalled after they were made the member of domain admins and now if you remove them from domain admins group......the programs started giving errors........
what is my best way to re-configure AD....looking at the present scenario.......
ASKER
For now i have come across only 3 programs which were not working.......
UPS worlship
Peachtree
Symantec Procomm Plus (which is used to connect to Unix server).......
I will try power users option and let you know......if i make them as power users on local machines, will they able to install softwares ?......in which way power users is different then being member of domain admin group ?...
UPS worlship
Peachtree
Symantec Procomm Plus (which is used to connect to Unix server).......
I will try power users option and let you know......if i make them as power users on local machines, will they able to install softwares ?......in which way power users is different then being member of domain admin group ?...
Here is more information on the built-in groups:
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/windows_security_default_settings.mspx
Power users can "Install programs that do not modify operating system files or install system services". This is not an ideal situation but is much better than making all users administrators.
Granting users permission to the specific files and registry keys they need is the best solution.
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/windows_security_default_settings.mspx
Power users can "Install programs that do not modify operating system files or install system services". This is not an ideal situation but is much better than making all users administrators.
Granting users permission to the specific files and registry keys they need is the best solution.
ASKER
i used the power users option on 1 user to test out and it seems like it is working......i will be monitoring for couple days and will let you know...
if i need to try the second option of running process monitor utility......do i need to run on each individual uers computers (xp pro)........?
if i need to try the second option of running process monitor utility......do i need to run on each individual uers computers (xp pro)........?
Log on as a user who is not in the Power Users group. Run Process Monitor and then run one of the problem programs. Look for ACCESS DENIED entries to see what files and keys the users need permission to.
ASKER
At present all the users are
1. on server - memeber of domain admins and domain users
2. on individual computers - member of administrator group
So my steps to try out on user abc will be:
1. remove abc from domain admin on server
2. log on to his computer as a member of admin grp and run process monitor, after giving access
3. change the user on local machine to belong to user group ?
Pls advice........
1. on server - memeber of domain admins and domain users
2. on individual computers - member of administrator group
So my steps to try out on user abc will be:
1. remove abc from domain admin on server
2. log on to his computer as a member of admin grp and run process monitor, after giving access
3. change the user on local machine to belong to user group ?
Pls advice........
Steps 1 and 3 are good. Step 2 is a little off though. User abc should just have basic user rights on the workstation. Here's the way it should go:
1. Remove user abc from the Domain Admins group in Active Directory Users and Computers on the server.
2. Remove user abc (and any groups he/she belongs to) from the Administrators and Power Users groups on the workstation.
3. Log onto the workstation as user abc.
4. Run Process Monitor. It sits in the background and watches to see what files and registry keys are being accessed.
5. Run one of the problem programs. You should get an error.
6. As soon as you get the error, stop capturing in Process Monitor by clicking the magnifying glass button on the toolbar.
7. Sift through the entries to see what files and registry keys the user was unable to access.
8. Grant Domain Users permission to access those files and keys. They should then be able to run the program without being in the Administrators or Power Users groups.
1. Remove user abc from the Domain Admins group in Active Directory Users and Computers on the server.
2. Remove user abc (and any groups he/she belongs to) from the Administrators and Power Users groups on the workstation.
3. Log onto the workstation as user abc.
4. Run Process Monitor. It sits in the background and watches to see what files and registry keys are being accessed.
5. Run one of the problem programs. You should get an error.
6. As soon as you get the error, stop capturing in Process Monitor by clicking the magnifying glass button on the toolbar.
7. Sift through the entries to see what files and registry keys the user was unable to access.
8. Grant Domain Users permission to access those files and keys. They should then be able to run the program without being in the Administrators or Power Users groups.
ASKER
we have 60 users......if 8 steps works then....i have to run procmon.exe on all boxes.....right ?....
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
You mean, do steps 1 & 2 for administrator users, right ?.....I haven't used procmon.exe before so it is kind of hard for me to understand......so please bear with me.........without running steps 3-7 how can you run step 8 ?
ASKER
all 60 users are member of domain admins on AD and belongs to administrator group on local boxes.......
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I performed step 1,2,3 and when i run step 4 it tells me that user does not has administrator rights to run procmon.exe
user abc is domain user and that user is not created on the local machine..........do i have to add user 'abc' on local machine and under domain i have to add main server domain or local computer domain ?.......
user abc is domain user and that user is not created on the local machine..........do i have to add user 'abc' on local machine and under domain i have to add main server domain or local computer domain ?.......
Ah. Log onto the workstation as the domain user abc and then right-click Procmon (or you might have to Shift-right click), select Run As, and log on as administrator. That should allow you to run Procmon but still monitor events from the user.
If not, what specific programs aren't working? Try running a utility like Process Monitor to determine which files and registry keys the users need access to, then grant access to just those specific items.
http://www.microsoft.com/technet/sysinternals/utilities/processmonitor.mspx