Solved

How to restrict Windows 2003 domian administrators from accessing the local resources of client PC's?

Posted on 2008-06-17
17
250 Views
Last Modified: 2013-12-04
Hi,
I have a Windows 2003 domain with almost 100 Clients. Most of the Clients have data which they don't want to be exposed to anyone but them. How can  i restrict everyone else but the user of the client computer from accessing the data on the clients. (All the Clients are part of the domain)
Thanks
0
Comment
Question by:Inf0rmation
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 4
  • 4
  • +3
17 Comments
 
LVL 6

Expert Comment

by:tlowejr
ID: 21803755
You can set up the user so all they have do not have permission to log on to any one elses machine.
0
 
LVL 12

Expert Comment

by:nsx106052
ID: 21803776
You could start by setting the NTFS permissions so only they have rights to the file or folder.  Then you could incorporate encryption if you want to take it a step farther.  
0
 
LVL 3

Expert Comment

by:superiz
ID: 21803793
Edit the local "users" and local "administrators" group on each PC to contain only the domain users and administrators that you wish to have access to that machine.
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 

Author Comment

by:Inf0rmation
ID: 21803839
Tlowerj : How ?
nsx106052: NTFS restrictions are to be set on individual computers and in a domain model they may be overwritten by Admins. Encryption is the last option which i am considering. I want something domain based  withing Windows 2003 server capabilities. (Policy based)
0
 
LVL 6

Expert Comment

by:tlowejr
ID: 21803866
If you goto Active directory users and computers click on the user goto properties click on account then click Log on to.  You can limit the machines there.
0
 

Author Comment

by:Inf0rmation
ID: 21803873
superiz: Can this be done by some domain policy or a script ? or each system has to be configured independently ?
0
 

Author Comment

by:Inf0rmation
ID: 21803944
tlowejr: But a domain admin can always modify that
0
 
LVL 6

Expert Comment

by:tlowejr
ID: 21803956
Yes there is really no way to lock a domain admin out of a computer.  You can give them lower permissions.
0
 
LVL 38

Expert Comment

by:Shift-3
ID: 21804032
Short of encryption there is no effective way to keep someone in the Domain Admins group out of anything using built-in tools.  They can undo any Active Directory changes and take ownership of any files protected by NTFS permissions.  Auditing can make it more difficult but not impossible for them to cover their tracks.

It's usually a bad idea to store data on workstations to begin with, as it makes backups problematic.
0
 
LVL 3

Expert Comment

by:superiz
ID: 21804084
This example removes unapproved members from local adminintrators group:

strComputer = "."
Set objGroup = GetObject("WinNT://" & strComputer & "/Administrators")
For Each objUser In objGroup.Members
    If objUser.Name = "Unapproved1" OR objUser.Name = "Unapproved2" Then
        objGroup.Remove(objUser.AdsPath)
    End If
Next

0
 
LVL 3

Expert Comment

by:superiz
ID: 21804111
Although the script will work, it is somewhat of a useless idea, since the domain administrators could simply reset the user's passwords to gain access, or even decrypt the user's password to secretly gain access. You either trust your admins or you don't. If you don't, then you probably shouldn't be using a domain security model in the first place.
0
 

Author Comment

by:Inf0rmation
ID: 21804149
I would say this is not a mater of trust but a "need to know scenario"
0
 
LVL 6

Expert Comment

by:tlowejr
ID: 21804167
Yeah but you should trust they will not go in there.
0
 

Author Comment

by:Inf0rmation
ID: 21804220
Some times trust is simply not enough , and beside the whole security models usually are developed due to mistrust  :) if we can trust to this level them life will become very much simpler specially in IT
0
 
LVL 3

Expert Comment

by:superiz
ID: 21805664
So long as you understand that the whole idea it is not "rock solid",  I forgot to mention that the script type is vbscript. Is there anything about it you need clarification on?
0
 

Author Comment

by:Inf0rmation
ID: 21819254
Thanks :)
0
 
LVL 55

Accepted Solution

by:
McKnife earned 500 total points
ID: 21837597
Inf0rmation, we had the same request in our company and were able to persuade the people who requested this additional protection that it is not possible. Reason: even with encryption, the administrator can setup a keylogger or similar software to spy on people - you cannot prevent that.
The admin has to be trusted.

If you don't trust the admin, the only way is to have an auditing policy have an eye on folder access. This policy creates logs - if the admin deletes those logs to erase his tracks, a new log gets created stating "old log deleted", so you have control - but do you really want to go that way? You would have to have someone look at all the logs or setup event log monitoring/forwarding.
0

Featured Post

Free eBook: Backup on AWS

Everything you need to know about backup and disaster recovery with AWS, for FREE!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

729 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question