Solved

How to restrict Windows 2003 domian administrators from accessing the local resources of client PC's?

Posted on 2008-06-17
17
245 Views
Last Modified: 2013-12-04
Hi,
I have a Windows 2003 domain with almost 100 Clients. Most of the Clients have data which they don't want to be exposed to anyone but them. How can  i restrict everyone else but the user of the client computer from accessing the data on the clients. (All the Clients are part of the domain)
Thanks
0
Comment
Question by:Inf0rmation
  • 6
  • 4
  • 4
  • +3
17 Comments
 
LVL 6

Expert Comment

by:tlowejr
Comment Utility
You can set up the user so all they have do not have permission to log on to any one elses machine.
0
 
LVL 12

Expert Comment

by:nsx106052
Comment Utility
You could start by setting the NTFS permissions so only they have rights to the file or folder.  Then you could incorporate encryption if you want to take it a step farther.  
0
 
LVL 3

Expert Comment

by:superiz
Comment Utility
Edit the local "users" and local "administrators" group on each PC to contain only the domain users and administrators that you wish to have access to that machine.
0
 

Author Comment

by:Inf0rmation
Comment Utility
Tlowerj : How ?
nsx106052: NTFS restrictions are to be set on individual computers and in a domain model they may be overwritten by Admins. Encryption is the last option which i am considering. I want something domain based  withing Windows 2003 server capabilities. (Policy based)
0
 
LVL 6

Expert Comment

by:tlowejr
Comment Utility
If you goto Active directory users and computers click on the user goto properties click on account then click Log on to.  You can limit the machines there.
0
 

Author Comment

by:Inf0rmation
Comment Utility
superiz: Can this be done by some domain policy or a script ? or each system has to be configured independently ?
0
 

Author Comment

by:Inf0rmation
Comment Utility
tlowejr: But a domain admin can always modify that
0
 
LVL 6

Expert Comment

by:tlowejr
Comment Utility
Yes there is really no way to lock a domain admin out of a computer.  You can give them lower permissions.
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 
LVL 38

Expert Comment

by:Shift-3
Comment Utility
Short of encryption there is no effective way to keep someone in the Domain Admins group out of anything using built-in tools.  They can undo any Active Directory changes and take ownership of any files protected by NTFS permissions.  Auditing can make it more difficult but not impossible for them to cover their tracks.

It's usually a bad idea to store data on workstations to begin with, as it makes backups problematic.
0
 
LVL 3

Expert Comment

by:superiz
Comment Utility
This example removes unapproved members from local adminintrators group:

strComputer = "."
Set objGroup = GetObject("WinNT://" & strComputer & "/Administrators")
For Each objUser In objGroup.Members
    If objUser.Name = "Unapproved1" OR objUser.Name = "Unapproved2" Then
        objGroup.Remove(objUser.AdsPath)
    End If
Next

0
 
LVL 3

Expert Comment

by:superiz
Comment Utility
Although the script will work, it is somewhat of a useless idea, since the domain administrators could simply reset the user's passwords to gain access, or even decrypt the user's password to secretly gain access. You either trust your admins or you don't. If you don't, then you probably shouldn't be using a domain security model in the first place.
0
 

Author Comment

by:Inf0rmation
Comment Utility
I would say this is not a mater of trust but a "need to know scenario"
0
 
LVL 6

Expert Comment

by:tlowejr
Comment Utility
Yeah but you should trust they will not go in there.
0
 

Author Comment

by:Inf0rmation
Comment Utility
Some times trust is simply not enough , and beside the whole security models usually are developed due to mistrust  :) if we can trust to this level them life will become very much simpler specially in IT
0
 
LVL 3

Expert Comment

by:superiz
Comment Utility
So long as you understand that the whole idea it is not "rock solid",  I forgot to mention that the script type is vbscript. Is there anything about it you need clarification on?
0
 

Author Comment

by:Inf0rmation
Comment Utility
Thanks :)
0
 
LVL 53

Accepted Solution

by:
McKnife earned 500 total points
Comment Utility
Inf0rmation, we had the same request in our company and were able to persuade the people who requested this additional protection that it is not possible. Reason: even with encryption, the administrator can setup a keylogger or similar software to spy on people - you cannot prevent that.
The admin has to be trusted.

If you don't trust the admin, the only way is to have an auditing policy have an eye on folder access. This policy creates logs - if the admin deletes those logs to erase his tracks, a new log gets created stating "old log deleted", so you have control - but do you really want to go that way? You would have to have someone look at all the logs or setup event log monitoring/forwarding.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now