| Author |
Message |
Jeff Cichocki
Guest
|
 Posted:
Mon Jan 10, 2005 9:22 pm Post subject:
Deny rights question |
|
|
I have a new 2003 environment that is managing some XP machines. A few of
the XP machines have users that set up as local admins to their respective
machines. Is there a way to prevent their local admin rights from giving
them admin rights to the domain servers? Specifically, they can browse the
network and open any folder on the server because of this scenario.
Thanks
Jeff |
|
| Back to top |
|
 |
Miha Pihler [MVP]
Guest
|
| Posted:
Mon Jan 10, 2005 9:45 pm Post subject:
Re: Deny rights question |
|
|
Hi Jeff,
Being local administrator on local Windows XP computers doesn't give users
administrative permissions on any other computer in domain.
If these users do have administrator permissions on domain server then
something else must be miss configured.
Can you check:
* on domain (in e.g. your active directory) what groups are these users
members of
* permissions that are granted to the folders that these users can (but
shouldn't) browse
--
Mike
Microsoft MVP - Windows Security
"Jeff Cichocki" <jeffc@belgioioso.com> wrote in message
news:unxM%23hy9EHA.3236@TK2MSFTNGP15.phx.gbl...
| Quote: | I have a new 2003 environment that is managing some XP machines. A few of
the XP machines have users that set up as local admins to their respective
machines. Is there a way to prevent their local admin rights from giving
them admin rights to the domain servers? Specifically, they can browse the
network and open any folder on the server because of this scenario.
Thanks
Jeff
|
|
|
| Back to top |
|
|
Tyler
Guest
|
| Posted:
Mon Jan 10, 2005 9:59 pm Post subject:
Re: Deny rights question |
|
|
It sounds to me like the shares that they are browsing to are set wide open.
Either they have share permissions set to Everyone or Domain Users.
When they are browsing through the network the folders that they can see on
any given server are network shares that they have permissions to.
Tyler
"Miha Pihler [MVP]" wrote:
| Quote: | Hi Jeff,
Being local administrator on local Windows XP computers doesn't give users
administrative permissions on any other computer in domain.
If these users do have administrator permissions on domain server then
something else must be miss configured.
Can you check:
* on domain (in e.g. your active directory) what groups are these users
members of
* permissions that are granted to the folders that these users can (but
shouldn't) browse
--
Mike
Microsoft MVP - Windows Security
"Jeff Cichocki" <jeffc@belgioioso.com> wrote in message
news:unxM%23hy9EHA.3236@TK2MSFTNGP15.phx.gbl...
I have a new 2003 environment that is managing some XP machines. A few of
the XP machines have users that set up as local admins to their respective
machines. Is there a way to prevent their local admin rights from giving
them admin rights to the domain servers? Specifically, they can browse the
network and open any folder on the server because of this scenario.
Thanks
Jeff
|
|
|
| Back to top |
|
|
Jeff Cichocki
Guest
|
| Posted:
Mon Jan 10, 2005 10:45 pm Post subject:
Re: Deny rights question |
|
|
OK. I have checked the shares and they are set to "Authenticated Users".
It must have been changed somewhere along the way. When I check the
individual directories, there is the "Administrator" account assigned to
each directory with full control. It looks like it is the domain admin
account to me. Is it the share that is letting them have to much or is it
the "Administrator"?
Thanks
Jeff
"Tyler" <Tyler@discussions.microsoft.com> wrote in message
news:ADFA86FA-1D17-4986-BC91-0EB48CCDF4AE@microsoft.com...
| Quote: | It sounds to me like the shares that they are browsing to are set wide
open.
Either they have share permissions set to Everyone or Domain Users.
When they are browsing through the network the folders that they can see
on
any given server are network shares that they have permissions to.
Tyler
"Miha Pihler [MVP]" wrote:
Hi Jeff,
Being local administrator on local Windows XP computers doesn't give
users
administrative permissions on any other computer in domain.
If these users do have administrator permissions on domain server then
something else must be miss configured.
Can you check:
* on domain (in e.g. your active directory) what groups are these users
members of
* permissions that are granted to the folders that these users can (but
shouldn't) browse
--
Mike
Microsoft MVP - Windows Security
"Jeff Cichocki" <jeffc@belgioioso.com> wrote in message
news:unxM%23hy9EHA.3236@TK2MSFTNGP15.phx.gbl...
I have a new 2003 environment that is managing some XP machines. A few
of
the XP machines have users that set up as local admins to their
respective
machines. Is there a way to prevent their local admin rights from
giving
them admin rights to the domain servers? Specifically, they can browse
the
network and open any folder on the server because of this scenario.
Thanks
Jeff
|
|
|
| Back to top |
|
|
Steven L Umbach
Guest
|
| Posted:
Tue Jan 11, 2005 1:04 am Post subject:
Re: Deny rights question |
|
|
There are some folders that they will be able to open by default on a domain
controller such as sysvol. They would be able to open and list any share
that has share and ntfs permissions for everyone/users/authenticated users
or other groups that they are members of. If these folders are restricted to
"administrators" for permissions then you want to be sure to double check
membership in the domain admins, enterprise admins [if available] and
administrators groups in Active Directory Users and Computers. If they can
access the default hidden admin share on a domain controller such as C$, you
know they have excessive permissions in the domain. --- Steve
"Jeff Cichocki" <jeffc@belgioioso.com> wrote in message
news:unxM%23hy9EHA.3236@TK2MSFTNGP15.phx.gbl...
| Quote: | I have a new 2003 environment that is managing some XP machines. A few of
the XP machines have users that set up as local admins to their respective
machines. Is there a way to prevent their local admin rights from giving
them admin rights to the domain servers? Specifically, they can browse the
network and open any folder on the server because of this scenario.
Thanks
Jeff
|
|
|
| Back to top |
|
|
Roger Abell [MVP]
Guest
|
| Posted:
Thu Jan 13, 2005 12:03 pm Post subject:
Re: Deny rights question |
|
|
That Administrator in the NTFS is likely the machine local
Administrator of the machine that is sharing out the storage.
The share level and NTFS level permissions must both
grant a permission (and neither deny it) to an account (even
if via a group) in order for it to be able to use that permission.
--
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCDBA, MCSE W2k3+W2k+Nt4
"Jeff Cichocki" <jeffc@belgioioso.com> wrote in message
news:%23BVDSPz9EHA.3504@TK2MSFTNGP12.phx.gbl...
| Quote: | OK. I have checked the shares and they are set to "Authenticated Users".
It must have been changed somewhere along the way. When I check the
individual directories, there is the "Administrator" account assigned to
each directory with full control. It looks like it is the domain admin
account to me. Is it the share that is letting them have to much or is it
the "Administrator"?
Thanks
Jeff
"Tyler" <Tyler@discussions.microsoft.com> wrote in message
news:ADFA86FA-1D17-4986-BC91-0EB48CCDF4AE@microsoft.com...
It sounds to me like the shares that they are browsing to are set wide
open.
Either they have share permissions set to Everyone or Domain Users.
When they are browsing through the network the folders that they can see
on
any given server are network shares that they have permissions to.
Tyler
"Miha Pihler [MVP]" wrote:
Hi Jeff,
Being local administrator on local Windows XP computers doesn't give
users
administrative permissions on any other computer in domain.
If these users do have administrator permissions on domain server then
something else must be miss configured.
Can you check:
* on domain (in e.g. your active directory) what groups are these users
members of
* permissions that are granted to the folders that these users can (but
shouldn't) browse
--
Mike
Microsoft MVP - Windows Security
"Jeff Cichocki" <jeffc@belgioioso.com> wrote in message
news:unxM%23hy9EHA.3236@TK2MSFTNGP15.phx.gbl...
I have a new 2003 environment that is managing some XP machines. A few
of
the XP machines have users that set up as local admins to their
respective
machines. Is there a way to prevent their local admin rights from
giving
them admin rights to the domain servers? Specifically, they can browse
the
network and open any folder on the server because of this scenario.
Thanks
Jeff
|
|
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in