Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 257
  • Last Modified:

How to restrict Windows 2003 domian administrators from accessing the local resources of client PC's?

Hi,
I have a Windows 2003 domain with almost 100 Clients. Most of the Clients have data which they don't want to be exposed to anyone but them. How can  i restrict everyone else but the user of the client computer from accessing the data on the clients. (All the Clients are part of the domain)
Thanks
0
Inf0rmation
Asked:
Inf0rmation
  • 6
  • 4
  • 4
  • +3
1 Solution
 
tlowejrCommented:
You can set up the user so all they have do not have permission to log on to any one elses machine.
0
 
nsx106052Commented:
You could start by setting the NTFS permissions so only they have rights to the file or folder.  Then you could incorporate encryption if you want to take it a step farther.  
0
 
superizCommented:
Edit the local "users" and local "administrators" group on each PC to contain only the domain users and administrators that you wish to have access to that machine.
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
Inf0rmationAuthor Commented:
Tlowerj : How ?
nsx106052: NTFS restrictions are to be set on individual computers and in a domain model they may be overwritten by Admins. Encryption is the last option which i am considering. I want something domain based  withing Windows 2003 server capabilities. (Policy based)
0
 
tlowejrCommented:
If you goto Active directory users and computers click on the user goto properties click on account then click Log on to.  You can limit the machines there.
0
 
Inf0rmationAuthor Commented:
superiz: Can this be done by some domain policy or a script ? or each system has to be configured independently ?
0
 
Inf0rmationAuthor Commented:
tlowejr: But a domain admin can always modify that
0
 
tlowejrCommented:
Yes there is really no way to lock a domain admin out of a computer.  You can give them lower permissions.
0
 
Shift-3Commented:
Short of encryption there is no effective way to keep someone in the Domain Admins group out of anything using built-in tools.  They can undo any Active Directory changes and take ownership of any files protected by NTFS permissions.  Auditing can make it more difficult but not impossible for them to cover their tracks.

It's usually a bad idea to store data on workstations to begin with, as it makes backups problematic.
0
 
superizCommented:
This example removes unapproved members from local adminintrators group:

strComputer = "."
Set objGroup = GetObject("WinNT://" & strComputer & "/Administrators")
For Each objUser In objGroup.Members
    If objUser.Name = "Unapproved1" OR objUser.Name = "Unapproved2" Then
        objGroup.Remove(objUser.AdsPath)
    End If
Next

0
 
superizCommented:
Although the script will work, it is somewhat of a useless idea, since the domain administrators could simply reset the user's passwords to gain access, or even decrypt the user's password to secretly gain access. You either trust your admins or you don't. If you don't, then you probably shouldn't be using a domain security model in the first place.
0
 
Inf0rmationAuthor Commented:
I would say this is not a mater of trust but a "need to know scenario"
0
 
tlowejrCommented:
Yeah but you should trust they will not go in there.
0
 
Inf0rmationAuthor Commented:
Some times trust is simply not enough , and beside the whole security models usually are developed due to mistrust  :) if we can trust to this level them life will become very much simpler specially in IT
0
 
superizCommented:
So long as you understand that the whole idea it is not "rock solid",  I forgot to mention that the script type is vbscript. Is there anything about it you need clarification on?
0
 
Inf0rmationAuthor Commented:
Thanks :)
0
 
McKnifeCommented:
Inf0rmation, we had the same request in our company and were able to persuade the people who requested this additional protection that it is not possible. Reason: even with encryption, the administrator can setup a keylogger or similar software to spy on people - you cannot prevent that.
The admin has to be trusted.

If you don't trust the admin, the only way is to have an auditing policy have an eye on folder access. This policy creates logs - if the admin deletes those logs to erase his tracks, a new log gets created stating "old log deleted", so you have control - but do you really want to go that way? You would have to have someone look at all the logs or setup event log monitoring/forwarding.
0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

  • 6
  • 4
  • 4
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now