Re: Prevent users from changing domain name
From: Steven L Umbach (sumbach_at_nospam-ameritech.net)
Date: 03/04/04
- Next message: Steven L Umbach: "Re: changing the recovery behaviour of a service?"
- Previous message: Sion Church: "Re: Domain password change policy"
- In reply to: Woody: "Prevent users from changing domain name"
- Next in thread: anonymous_at_discussions.microsoft.com: "Re: Prevent users from changing domain name"
- Reply: anonymous_at_discussions.microsoft.com: "Re: Prevent users from changing domain name"
- Messages sorted by: [ date ] [ thread ]
Date: Thu, 04 Mar 2004 19:13:15 GMT
That is a tough one as those users are obviously local administrators on a
W2K box. XP Pro has the network configuration group that you can add users
to for the purpose of being able to change most network settings without
having to be an administrator.
There are a couple of things that you can try to help prevent that probelm.
Many users do not know what they can do as a local administrator while
others know all the tricks and will be next to impossible to stop, though a
signed tough user computer use policy with defined and enforced consequences
may help..
Use Group Policy to remove properties from the My Computer context menu.
This is done in user configuration/administrative templates/desktop. Then
hide system properties [if they need no access to it] from the control panel
in user configuration/administrative templates/control panel. Users still
could access sysdm.cpl to open system properties. To prevent that you would
have to change the ntfs permisions on that file to leave possibly only the
domain admins group [which can be done via Group Policy/computer
confiuration/file system]. Of course a local administrator can change ntfs
permissions. To deter that you can see the KB link below on how to use Group
Policy to remove the security tab from domain member computers. Other things
that you might try to do to limit the power of local administrators via
Group Policy, if it does not interfere with their funtionality, may include
disabling the command prompt and registry editing, restricting ntfs
permissions on other binaries on the computer such as the net and secedit
command, adding cmd.exe, command.com, install.exe, and setup.exe to the
disallowed Windows Applications as described in the second KB link and
restricting their access to mmc snapins [particularly lusrmgr.msc]. Again
it is very hard to restrict a local administrator, but some or all of these
suggestions may be worth a try. --- Steve
http://support.microsoft.com/default.aspx?scid=kb%3ben-us%3b303153
http://support.microsoft.com/default.aspx?scid=kb;en-us;323525
"Woody" <anonymous@discussions.microsoft.com> wrote in message
news:742101c4020d$13c7d430$a101280a@phx.gbl...
> Hi All,
>
> Doesn anyone know how to prevent users from changing the
> domain (removing from domain) without preventing them
> from changing IP Address.
> Some of our users are required to have Static IP
> Addresses.
>
> Much Appreciated,
- Next message: Steven L Umbach: "Re: changing the recovery behaviour of a service?"
- Previous message: Sion Church: "Re: Domain password change policy"
- In reply to: Woody: "Prevent users from changing domain name"
- Next in thread: anonymous_at_discussions.microsoft.com: "Re: Prevent users from changing domain name"
- Reply: anonymous_at_discussions.microsoft.com: "Re: Prevent users from changing domain name"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
