Solved

re-configure AD

Posted on 2007-03-26
14
175 Views
Last Modified: 2010-08-05
I had this question posted on the forum last week:
rrajani wrote:
"have a single server with DC and exchange 03 on it......60 users.........is there a way i can stop the users from installing softwares, modifying outlook on their local machines......all 60 users are on xp pro.....they are member of domain admins and domain users.......if i remove them from domain admins will it solve my purpose ?...."

mattyfonz replied:
They are all members of Domain Admins?!
ill refrain from screaming with horror and just say that it would be a VERY good idea to remove them all from that group immediately.
Use group policy to lock down the client workstations. have them part of the domain users group should be fine for desktops as they will be part of the users group on the local machines and not be able to install software by default unless you give them specific permissions to do so. what exactly are you trying to prevent them from doing?

rrajani wrote:
ex admin had configured the AD and the way he had setup is, we have
one domain "abc.local" and  
one OU 'abc users'
one container 'computers'
All the 60 users are member of domain users & domain admins.
We have several group created and all groups are of type 'security' and scope 'global'
group1 : _abc (all users are member of this grp)
group2 : _warehouse managers (all whse managers are member of this group)
group3 : _accounting (all accounting staff are members of this grp)
group4 : _inside sales (all inside sales people are members of this grp)
.........and so on.....

What we basically need to accomplish is,
1. nobody should be able to play around with their outlook once their account is setup on their box
2. nobody should be able to install and uninstall software/hardware on their box
.........etc........
We have 50/50 workforce.......50% are executives who kind of are little computer savvy and they understand , but other 50% are wharehouse guys who are nuts......

we do not have any group policies setup yet.......pls advice.............
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
New question as of today:
I removed the users from domain admins group.....all the users were not able to open the programs which were installed on their computers....i believe that is because these programs were isntalled after they were made the member of domain admins and now if you remove them from domain admins group......the programs started giving errors........

what is my best way to re-configure AD....looking at the present scenario.......



0
Comment
Question by:rrajani
  • 7
  • 7
14 Comments
 
LVL 38

Expert Comment

by:Shift-3
Comment Utility
Try making the INTERACTIVE user a member of the Power Users group on the workstations.  See if this allows the programs to run.

If not, what specific programs aren't working?  Try running a utility like Process Monitor to determine which files and registry keys the users need access to, then grant access to just those specific items.
http://www.microsoft.com/technet/sysinternals/utilities/processmonitor.mspx
0
 

Author Comment

by:rrajani
Comment Utility
For now i have come across only 3 programs which were not working.......

UPS worlship
Peachtree
Symantec Procomm Plus (which is used to connect to Unix server).......

I will try power users option and let you know......if i make them as power users on local machines, will they able to install softwares ?......in which way power users is different then being member of domain admin group ?...

0
 
LVL 38

Expert Comment

by:Shift-3
Comment Utility
Here is more information on the built-in groups:
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/windows_security_default_settings.mspx

Power users can "Install programs that do not modify operating system files or install system services".  This is not an ideal situation but is much better than making all users administrators.

Granting users permission to the specific files and registry keys they need is the best solution.
0
 

Author Comment

by:rrajani
Comment Utility
i used the power users option on 1 user to test out and it seems like it is working......i will be monitoring for couple days and will let you know...

if i need to try the second option of running process monitor utility......do i need to run on each individual uers computers (xp pro)........?
0
 
LVL 38

Expert Comment

by:Shift-3
Comment Utility
Log on as a user who is not in the Power Users group.  Run Process Monitor and then run one of the problem programs.  Look for ACCESS DENIED entries to see what files and keys the users need permission to.
0
 

Author Comment

by:rrajani
Comment Utility
At present all the users are

1. on server - memeber of domain admins and domain users
2. on individual computers - member of administrator group

So my steps to try out on user abc will be:
1. remove abc from domain admin on server
2. log on to his computer as a member of admin grp and run process monitor, after giving access
3. change the user on local machine to belong to user group ?

Pls advice........
0
 
LVL 38

Expert Comment

by:Shift-3
Comment Utility
Steps 1 and 3 are good.  Step 2 is a little off though.  User abc should just have basic user rights on the workstation.  Here's the way it should go:

1. Remove user abc from the Domain Admins group in Active Directory Users and Computers on the server.
2. Remove user abc (and any groups he/she belongs to) from the Administrators and Power Users groups on the workstation.
3. Log onto the workstation as user abc.
4. Run Process Monitor.  It sits in the background and watches to see what files and registry keys are being accessed.
5. Run one of the problem programs.  You should get an error.
6. As soon as you get the error, stop capturing in Process Monitor by clicking the magnifying glass button on the toolbar.
7. Sift through the entries to see what files and registry keys the user was unable to access.
8. Grant Domain Users permission to access those files and keys.  They should then be able to run the program without being in the Administrators or Power Users groups.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:rrajani
Comment Utility
we have 60 users......if 8 steps works then....i have to run procmon.exe on all boxes.....right ?....
0
 
LVL 38

Assisted Solution

by:Shift-3
Shift-3 earned 250 total points
Comment Utility
No.  Do steps 1 and 2 for all non-administrative users.  Do steps 3-7 one time.  Do step 8 on all the boxes.  This could be automated with a script using the CACLS command.
http://www.ss64.com/nt/cacls.html
0
 

Author Comment

by:rrajani
Comment Utility
You mean, do steps 1 & 2 for administrator users, right ?.....I haven't used procmon.exe before so it is kind of hard for me to understand......so please bear with me.........without running steps 3-7 how can you run step 8 ?
0
 

Author Comment

by:rrajani
Comment Utility
all 60 users are member of domain admins on AD and belongs to administrator group on local boxes.......
0
 
LVL 38

Accepted Solution

by:
Shift-3 earned 250 total points
Comment Utility
Do steps 1 and 2 for all users who are currently in the Domain Admins group but who do not actually require those privileges to administer the network on a daily basis.

Steps 3-7 will tell you what files and keys the users require access to in order to run the programs.  These will be the same for all users, so you only have to do this part once.  Once you know which files and keys are required, grant all users the access to them.

If you are uncomfortable with these procedures then it would be simplest just to add the INTERACTIVE account to the Power Users group on all workstations.  This is a straightforward solution which does not compromise security too badly.
0
 

Author Comment

by:rrajani
Comment Utility
I performed step 1,2,3 and when i run step 4 it tells me that user does not has administrator rights to run procmon.exe

user abc is domain user and that user is not created on the local machine..........do i have to add user 'abc' on local machine and under domain i have to add main server domain or local computer domain ?.......
0
 
LVL 38

Expert Comment

by:Shift-3
Comment Utility
Ah.  Log onto the workstation as the domain user abc and then right-click Procmon (or you might have to Shift-right click), select Run As, and log on as administrator.  That should allow you to run Procmon but still monitor events from the user.
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Mapping Drives using Group policy preferences Are you still using old scripts to map your network drives if so this article will show you how to get away for old scripts and move toward Group Policy Preference for mapping them. First things f…
Synchronize a new Active Directory domain with an existing Office 365 tenant
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now