Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 259
  • Last Modified:

Security iwth Windows Server 2003 Administration Tools Pack -- Anyone can see everything?

We just started using the Windows Server 2003 Administration Tools Pack on a couple of laptops.  It's great and works fine.  However, I installed the pack on several users machines (just for kicks to see how it works) and they are only USERS in the domain and can VIEW just about everything!  They can even modify a couple of things.  

Where is the security to people out from being able to do anything to our controllers if they stumble upon the admin pack!

Thanks
0
jgantes
Asked:
jgantes
1 Solution
 
KCTSCommented:
If they are not admins then they can't do anything of consequence other than looking - all users must be able to read most of AD in order to participate in the domain.

If you really want to stop them using any admin tools then you can use a software restriction policy to prohibit the use of MMC and apply it to the domain. You coulld then use filtering to stop the policy being applied to Admins, or place the admins in a seperate OU and block policy inheritance.

http://technet.microsoft.com/en-us/library/bb457006.aspx
and
http://support.microsoft.com/kb/324036
 
0
 
Toni UranjekConsultant/TrainerCommented:
Hi!

Limited user is not able to install adminpak.msi and even if you install it as administrator, domain user should be not able to modify AD. I'm curios what kind of modificitaions are you talking about?

Toni
0
 
jgantesAuthor Commented:
Oddly, when I installed on a Domain Users machine they could make some simple modifications.  For th emost part, you are correct, they couldn't do much at all but view.  And, understandably, they need to be able to read from the directory otherwise AD couldn't function :-)  

They could modify:
1) Under our Office_Computers OU, they could modify the membership of a computer, but nothing else.(Once I click ok here it says NO PERMISSIONS)

2) In our Office_Users OU, they could modify items on the Terminal Service Profiles tab.

3) In our Office_Users OU, they could modify items on the Remote Control tab.

4) In our Office_Users OU, they could modify Direct Reports on the Organization tab

5) In our Office_Users OU, they could modify items on the Environment tab

6) In our Office_Users OU, they could modify Membership on the Member of Tab (Once I click ok here it says NO PERMISSIONS)

I'll need to do some more reading on the items you listed above.  I only want select admins to be able to work in this program.  Also, is there a way to restrict WHAT they can do in the tool kit?

I did a good amount of reading on MS site, but that was after another problem I was dealing with regarding the "UseInternnetPorts" key on our controller... so I was a little tired.

Thanks!
0

Featured Post

New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now