Solved

Restrict Clients from viewing Domain Structue/OUs using GPMC

Posted on 2007-04-05
11
685 Views
Last Modified: 2012-05-05
Server 2003 SP1 and AD 2003
Clients (workstations) - XP PRO.  Domain users are local administrators on the client machine.

GPMC can be used on any client to view policies that apply to each OU.  I want to restrict it such that no client machine can view GP policies per OU.  For example, I have an OU for Sales.  I don't want a user in the Finance department to be able to run GPMC on their machine and be able to browse the OUs in the domain and see what login scripts, policies, etc they are using.  

For that matter, I don't want any client able to view the Domain/OU structure!

Thanks,

0
Comment
Question by:top_rung
  • 6
  • 5
11 Comments
 
LVL 26

Expert Comment

by:MidnightOne
ID: 18861743
Unless they have domain admin rights on the domain, they shouldn't have the access rights to use the GPMC or ADUC tools against a domain controller.
0
 
LVL 14

Author Comment

by:top_rung
ID: 18863839
yeah, that is what i expected, but they can use the GPMC.  The users are only Authenticated Domains users.  No administrative rights whatsoever except on their local machines.    

They can not make any changes, but they can view the structure and such.  :-\
0
 
LVL 26

Expert Comment

by:MidnightOne
ID: 18864457
Do the clients -require- admin access on t he local machines? Although that's a separate problem, it will keep them from installing the admin tools and other idiocy.
0
 
LVL 14

Author Comment

by:top_rung
ID: 18864762
Yes they require it - being developers and such.  That company policy won't change unfortunately.

I just can't believe that it is that simple to browse the hierarchy on the domain controller.  This is a problem because employees using the tool are seeing the tiers of management and the varying share rights based on OU names and script names.  

I need to restrict it if at all possible.

0
 
LVL 14

Author Comment

by:top_rung
ID: 18867180
up'd points
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 
LVL 26

Expert Comment

by:MidnightOne
ID: 18868411
Unfortunately, you won't ben able to stop them from getting at the logon scripts at all; these are housed at %logonserver%\netlogon and all users have RX privileges to that share and files.

It's possible to use GPO software installation to remove the admin tools from the user's workstations, but given the myriad versions this may be cumbersome at best.

Do the users have the tools installed locally?
0
 
LVL 14

Author Comment

by:top_rung
ID: 18892416
Yes, the users have the tools installed locally.

Again, it isn't simply the viewing of the scripts, but more so the AD structure.

So you think the only solution is to remove the tools and either restrict install or live with it?


0
 
LVL 26

Expert Comment

by:MidnightOne
ID: 19031462
Here's a possibility to add to the logon script, presuming you can put the admin tools installer in the netlogon foloder

msiexec /x %logonserver%\netlogon\adminpak.msi /qn /quiet

This performs an immediate stealth uninstall of the admin tools.

HAND

MidnightOne
0
 
LVL 14

Author Comment

by:top_rung
ID: 19031671
haha, that's cool and funny.  They will install it repeatedly and it will be removed everytime they log on.  The only problem with that is they will install it after they are logged on and use it during that session :-\

I am going to try that (at the least) to see how annoyed they get with it.  
0
 
LVL 26

Accepted Solution

by:
MidnightOne earned 500 total points
ID: 19031696
Unless you have either the political backing to cause the developers great pain if they persist or the go-ahead to remove them from the local administrator's group of their systems, you're pretty much out of luck.

MidnightOne
0
 
LVL 14

Author Comment

by:top_rung
ID: 19033483
That is the answer I needed.  Pretty crummy that is works that way.  

Thanks for you suggestions!

0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

[b]Ok so now I will show you how to add a user name to the description at login. [/b] First connect to your DC (Domain Controller / Active Directory Server) SET PERMISSIONS FOR SCRIPT TO UPDATE COMPUTER DESCRIPTION TO USERNAME 1. Open Active …
This article shows how to deploy dynamic backgrounds to computers depending on the aspect ratio of display
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

919 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now