On Tue, 27 Jul 2004 09:20:40 -0700, "Dave W." W.@discussions.microsoft.com> wrote:

>We use a Windows 2003 DC and have found that all of our users can choose the "Manage" on "My Computer" and then choose the domain controller PC as the PC to manage. They can then add shares, shut down services, etc. which defeats all the security.
>
>How can I prevent users from specifying another computer name in the computer management console snap-in and/or how do I restrict a computer from allowing on specific users to connect.
>
>Note that all of our users are administrators which I know is bad, but they are software developers and need to constantly re-install, update registries, etc.

Administrators? As in "Domain Administrators"? Maybe Local
Administrators, but not Domain Administrators.

Jeff

It seems that the problem may be related to administrators having "SeTakeOwnershipPrivilege" by default. If I remove that privilege (which the DC loaded with "Administrators" in the default domain policy and change it to "Domain Admins" instead, the users are no longer able to make any changes or to view the shares via computer management.

This may be a solution but since the users have administrator privileges, they can likely re-enable this on their own machine, thus I really need to set the protection on the DC itself to prevent users from accessing these objects.

All users are part of the "Domain Users" group which belongs to the "Adminstrators" group in the GP loaded into each users PC. This gives them the required privileges on their own PC but does not give them domain administrator privileges.

Thanks for your continuing help.

"Jeff Cochran" wrote:

> On Tue, 27 Jul 2004 09:20:40 -0700, "Dave W." > W.@discussions.microsoft.com> wrote:
>
> >We use a Windows 2003 DC and have found that all of our users can choose the "Manage" on "My Computer" and then choose the domain controller PC as the PC to manage. They can then add shares, shut down services, etc. which defeats all the security.
> >
> >How can I prevent users from specifying another computer name in the computer management console snap-in and/or how do I restrict a computer from allowing on specific users to connect.
> >
> >Note that all of our users are administrators which I know is bad, but they are software developers and need to constantly re-install, update registries, etc.
>
> Administrators? As in "Domain Administrators"? Maybe Local
> Administrators, but not Domain Administrators.
>
> Jeff
>

In article , in the
microsoft.public.win2000.security news group, =?Utf-8?B?RGF2ZSBXLg==?=
says...

> All users are part of the "Domain Users" group which belongs to the "Adminstrators" group in the GP loaded into each users PC. This gives them the required privileges on their own PC but does not give them domain administrator privileges.
>

So, you're using Restricted Groups in Group Policy to add the Domain
Users group to the Administrators group? And I'm betting that you're
either using the Default Domain GPO or a GPO at the domain level to
enforce this? This is your problem right here.

By using a GPO at the domain level and specifying that Domain Users are
members of a group called Administrators, not only are you adding Domain
Users to the local Administrators group on your workstations, you're
also adding Domain Users to the Administrators group on your Domain
Controllers!!!

There are a number of ways to fix this:

1. Make sure that all affected workstations are in an OU (not the
default Computers container as that is not an OU) and then create a GPO
with your restricted groups setting that only applies to the
workstations.
2. If you insist on using a domain level GPO for this, modify the
Default Domain Controllers GPO to not include Domain Users in the
Administrators group.

You've done this to yourself and has nothing specifically to do with the
security right you're mentioning. The only reason Domain Users have that
right is because you've made them Administrators on your domain
controllers.

--
Paul Adare
This posting is provided "AS IS" with no warranties, and confers no
rights.

Yeah, what Paul said. :)

Jeff

On Tue, 27 Jul 2004 15:27:02 -0700, "Dave W."
wrote:

>It seems that the problem may be related to administrators having "SeTakeOwnershipPrivilege" by default. If I remove that privilege (which the DC loaded with "Administrators" in the default domain policy and change it to "Domain Admins" instead, the users are no longer able to make any changes or to view the shares via computer management.
>
>This may be a solution but since the users have administrator privileges, they can likely re-enable this on their own machine, thus I really need to set the protection on the DC itself to prevent users from accessing these objects.
>
>All users are part of the "Domain Users" group which belongs to the "Adminstrators" group in the GP loaded into each users PC. This gives them the required privileges on their own PC but does not give them domain administrator privileges.
>
>Thanks for your continuing help.
>
>"Jeff Cochran" wrote:
>
>> On Tue, 27 Jul 2004 09:20:40 -0700, "Dave W." >> W.@discussions.microsoft.com> wrote:
>>
>> >We use a Windows 2003 DC and have found that all of our users can choose the "Manage" on "My Computer" and then choose the domain controller PC as the PC to manage. They can then add shares, shut down services, etc. which defeats all the security.
>> >
>> >How can I prevent users from specifying another computer name in the computer management console snap-in and/or how do I restrict a computer from allowing on specific users to connect.
>> >
>> >Note that all of our users are administrators which I know is bad, but they are software developers and need to constantly re-install, update registries, etc.
>>
>> Administrators? As in "Domain Administrators"? Maybe Local
>> Administrators, but not Domain Administrators.
>>
>> Jeff
>>

I agree with Paul. Sounds like an inadvertent group addition.

Check:To view a user's group membership for a domain(s), use the resource kit utility Showgrps.exe..

Run it under the user account that appears to have too many privileges.

--
Mark-Allen Perry
ALPHA Systems, Switzerland
mark-allen AT mvps DOT org

"Paul Adare - MVP - Microsoft Virtual PC" wrote in message news:MPG.1b713b62ff679a039899af@msnews.microsoft.com...
In article , in the
microsoft.public.win2000.security news group, =?Utf-8?B?RGF2ZSBXLg==?=
says...

> All users are part of the "Domain Users" group which belongs to the "Adminstrators" group in the GP loaded into each users PC. This gives them the required privileges on their own PC but does not give them domain administrator privileges.
>

So, you're using Restricted Groups in Group Policy to add the Domain
Users group to the Administrators group? And I'm betting that you're
either using the Default Domain GPO or a GPO at the domain level to
enforce this? This is your problem right here.

By using a GPO at the domain level and specifying that Domain Users are
members of a group called Administrators, not only are you adding Domain
Users to the local Administrators group on your workstations, you're
also adding Domain Users to the Administrators group on your Domain
Controllers!!!

There are a number of ways to fix this:

1. Make sure that all affected workstations are in an OU (not the
default Computers container as that is not an OU) and then create a GPO
with your restricted groups setting that only applies to the
workstations.
2. If you insist on using a domain level GPO for this, modify the
Default Domain Controllers GPO to not include Domain Users in the
Administrators group.

You've done this to yourself and has nothing specifically to do with the
security right you're mentioning. The only reason Domain Users have that
right is because you've made them Administrators on your domain
controllers.

--
Paul Adare
This posting is provided "AS IS" with no warranties, and confers no
rights.