Solved

How to restrict Windows 2003 domian administrators from accessing the local resources of client PC's?

Posted on 2008-06-17
17
251 Views
Last Modified: 2013-12-04
Hi,
I have a Windows 2003 domain with almost 100 Clients. Most of the Clients have data which they don't want to be exposed to anyone but them. How can  i restrict everyone else but the user of the client computer from accessing the data on the clients. (All the Clients are part of the domain)
Thanks
0
Comment
Question by:Inf0rmation
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 4
  • 4
  • +3
17 Comments
 
LVL 6

Expert Comment

by:tlowejr
ID: 21803755
You can set up the user so all they have do not have permission to log on to any one elses machine.
0
 
LVL 12

Expert Comment

by:nsx106052
ID: 21803776
You could start by setting the NTFS permissions so only they have rights to the file or folder.  Then you could incorporate encryption if you want to take it a step farther.  
0
 
LVL 3

Expert Comment

by:superiz
ID: 21803793
Edit the local "users" and local "administrators" group on each PC to contain only the domain users and administrators that you wish to have access to that machine.
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 

Author Comment

by:Inf0rmation
ID: 21803839
Tlowerj : How ?
nsx106052: NTFS restrictions are to be set on individual computers and in a domain model they may be overwritten by Admins. Encryption is the last option which i am considering. I want something domain based  withing Windows 2003 server capabilities. (Policy based)
0
 
LVL 6

Expert Comment

by:tlowejr
ID: 21803866
If you goto Active directory users and computers click on the user goto properties click on account then click Log on to.  You can limit the machines there.
0
 

Author Comment

by:Inf0rmation
ID: 21803873
superiz: Can this be done by some domain policy or a script ? or each system has to be configured independently ?
0
 

Author Comment

by:Inf0rmation
ID: 21803944
tlowejr: But a domain admin can always modify that
0
 
LVL 6

Expert Comment

by:tlowejr
ID: 21803956
Yes there is really no way to lock a domain admin out of a computer.  You can give them lower permissions.
0
 
LVL 38

Expert Comment

by:Shift-3
ID: 21804032
Short of encryption there is no effective way to keep someone in the Domain Admins group out of anything using built-in tools.  They can undo any Active Directory changes and take ownership of any files protected by NTFS permissions.  Auditing can make it more difficult but not impossible for them to cover their tracks.

It's usually a bad idea to store data on workstations to begin with, as it makes backups problematic.
0
 
LVL 3

Expert Comment

by:superiz
ID: 21804084
This example removes unapproved members from local adminintrators group:

strComputer = "."
Set objGroup = GetObject("WinNT://" & strComputer & "/Administrators")
For Each objUser In objGroup.Members
    If objUser.Name = "Unapproved1" OR objUser.Name = "Unapproved2" Then
        objGroup.Remove(objUser.AdsPath)
    End If
Next

0
 
LVL 3

Expert Comment

by:superiz
ID: 21804111
Although the script will work, it is somewhat of a useless idea, since the domain administrators could simply reset the user's passwords to gain access, or even decrypt the user's password to secretly gain access. You either trust your admins or you don't. If you don't, then you probably shouldn't be using a domain security model in the first place.
0
 

Author Comment

by:Inf0rmation
ID: 21804149
I would say this is not a mater of trust but a "need to know scenario"
0
 
LVL 6

Expert Comment

by:tlowejr
ID: 21804167
Yeah but you should trust they will not go in there.
0
 

Author Comment

by:Inf0rmation
ID: 21804220
Some times trust is simply not enough , and beside the whole security models usually are developed due to mistrust  :) if we can trust to this level them life will become very much simpler specially in IT
0
 
LVL 3

Expert Comment

by:superiz
ID: 21805664
So long as you understand that the whole idea it is not "rock solid",  I forgot to mention that the script type is vbscript. Is there anything about it you need clarification on?
0
 

Author Comment

by:Inf0rmation
ID: 21819254
Thanks :)
0
 
LVL 55

Accepted Solution

by:
McKnife earned 500 total points
ID: 21837597
Inf0rmation, we had the same request in our company and were able to persuade the people who requested this additional protection that it is not possible. Reason: even with encryption, the administrator can setup a keylogger or similar software to spy on people - you cannot prevent that.
The admin has to be trusted.

If you don't trust the admin, the only way is to have an auditing policy have an eye on folder access. This policy creates logs - if the admin deletes those logs to erase his tracks, a new log gets created stating "old log deleted", so you have control - but do you really want to go that way? You would have to have someone look at all the logs or setup event log monitoring/forwarding.
0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A company’s centralized system that manages user data, security, and distributed resources is often a focus of criminal attention. Active Directory (AD) is no exception. In truth, it’s even more likely to be targeted due to the number of companies …
Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Suggested Courses

635 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question