Security iwth Windows Server 2003 Administration Tools Pack -- Anyone can see everything?

Posted on 2007-08-11
Last Modified: 2013-12-04
We just started using the Windows Server 2003 Administration Tools Pack on a couple of laptops.  It's great and works fine.  However, I installed the pack on several users machines (just for kicks to see how it works) and they are only USERS in the domain and can VIEW just about everything!  They can even modify a couple of things.  

Where is the security to people out from being able to do anything to our controllers if they stumble upon the admin pack!

Question by:jgantes
    LVL 70

    Accepted Solution

    If they are not admins then they can't do anything of consequence other than looking - all users must be able to read most of AD in order to participate in the domain.

    If you really want to stop them using any admin tools then you can use a software restriction policy to prohibit the use of MMC and apply it to the domain. You coulld then use filtering to stop the policy being applied to Admins, or place the admins in a seperate OU and block policy inheritance.
    LVL 31

    Expert Comment

    by:Toni Uranjek

    Limited user is not able to install adminpak.msi and even if you install it as administrator, domain user should be not able to modify AD. I'm curios what kind of modificitaions are you talking about?


    Author Comment

    Oddly, when I installed on a Domain Users machine they could make some simple modifications.  For th emost part, you are correct, they couldn't do much at all but view.  And, understandably, they need to be able to read from the directory otherwise AD couldn't function :-)  

    They could modify:
    1) Under our Office_Computers OU, they could modify the membership of a computer, but nothing else.(Once I click ok here it says NO PERMISSIONS)

    2) In our Office_Users OU, they could modify items on the Terminal Service Profiles tab.

    3) In our Office_Users OU, they could modify items on the Remote Control tab.

    4) In our Office_Users OU, they could modify Direct Reports on the Organization tab

    5) In our Office_Users OU, they could modify items on the Environment tab

    6) In our Office_Users OU, they could modify Membership on the Member of Tab (Once I click ok here it says NO PERMISSIONS)

    I'll need to do some more reading on the items you listed above.  I only want select admins to be able to work in this program.  Also, is there a way to restrict WHAT they can do in the tool kit?

    I did a good amount of reading on MS site, but that was after another problem I was dealing with regarding the "UseInternnetPorts" key on our controller... so I was a little tired.


    Featured Post

    Looking for New Ways to Advertise?

    Engage with tech pros in our community with native advertising, as a Vendor Expert, and more.

    Join & Write a Comment

    Article by: btan
    The intent is not to repeat what many has know about Ransomware but more to join its dots of what is it, who are the victims, why it exists, when and how we respond on infection. Lastly, sum up in a glance to share such information with more to help…
    This is a short article about OS X KeRanger, and what people can do to get rid of it.
    Need more eyes on your posted question? Go ahead and follow the quick steps in this video to learn how to Request Attention to your question. *Log into your Experts Exchange account *Find the question you want to Request Attention for *Go to the e…
    Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

    733 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    23 Experts available now in Live!

    Get 1:1 Help Now