Re: Client Lockdown

From: Marina Roos [SBS-MVP] (marina_at_roos.nodontwantspam.nl.com)
Date: 01/03/05

• Next message: Marina Roos [SBS-MVP]: "Re: SBS 2003 Remote desktop"
• Previous message: Marina Roos [SBS-MVP]: "Re: Best method to access 'companyweb' from intra & internet"
• In reply to: bobroq: "Re: Client Lockdown"
• Messages sorted by: [ date ] [ thread ]

---

Date: Mon, 3 Jan 2005 13:08:20 +0100

Hi Bob,

>From ServerManagement, Computer. Select a computer and select manage
computer. Expand the Local Users and groups. Expand the Groups. Take out the
domain users from the administrator group and put them in the user group.

-- 
Regards,
Marina
Microsoft SBS-MVP
One of the Magical M&M's
"bobroq" <bobroq@discussions.microsoft.com> schreef in bericht
news:6B9FC2C6-E46E-42A1-8646-7CB977614E26@microsoft.com...
> I am sorry to be a pain but would you mind giving me instructions on how
to
> do this.
>
> I have tried to change this without any luck.
>
> Thank you so much for the help youve given me so far.
>
> Bob
>
> "Marina Roos [SBS-MVP]" wrote:
>
> > Hi Bob,
> >
> > The users should be in the local User group on the workstations. Only
for
> > installing apps you might want to put them in the local admin group, but
> > after that, put them back in the user group. You can do that from the
> > serverconsole.
> >
> > -- 
> > Regards,
> >
> > Marina
> > Microsoft SBS-MVP
> > One of the Magical M&M's
> >
> > "bobroq" <bobroq@discussions.microsoft.com> schreef in bericht
> > news:C62FDD8D-F670-4D7B-B425-2C96F91B978C@microsoft.com...
> > > Happy new year to you too.
> > >
> > > I actually do have one more question relevant to this topic.
> > > Today I was just about at a point where I considered myself done with
this
> > > install.
> > >
> > > I have all the group policy objects that I want configured.  The
computers
> > > are almost completely locked down, however, my users still have
> > administrator
> > > level privileges on their computers.  Is this normal?  I would feel
much
> > > better with them in the user level privileges.
> > >
> > > I added the users using the Add user Wizard contained in the server
> > > management console.  When I created them I used the user level
security
> > > template.
> > >
> > > Thanks again for your help
> > > Bob
> > >
> > > "Marina Roos [SBS-MVP]" wrote:
> > >
> > > > Hi Bob,
> > > >
> > > > Good finding!
> > > >
> > > > Happy New Year!
> > > >
> > > > -- 
> > > > Regards,
> > > >
> > > > Marina
> > > > Microsoft SBS-MVP
> > > > One of the Magical M&M's
> > > >
> > > > "bobroq" <bobroq@discussions.microsoft.com> schreef in bericht
> > > > news:2854C614-C55A-4A6A-9527-0AF021E890F0@microsoft.com...
> > > > > Yes I did thank you.
> > > > >
> > > > > I just wanted to post that I found the level of lockdown I wanted
by
> > using
> > > > > this microsoft whitepaper - Group Policy Common Scenarios Using
GPMC
> > > > >
> > > > >
> > > >
> >
http://www.microsoft.com/downloads/details.aspx?FamilyID=354b9f45-8aa6-4775-9208-c681a7043292&DisplayLang=en
> > > > >
> > > > > It defines a list of common gpo scenarios and was really helpful.
> > > > >
> > > > > "Marina Roos [SBS-MVP]" wrote:
> > > > >
> > > > > > Hi Bob,
> > > > > >
> > > > > > Great! Did you also rerun CEICW after changing the server nics?
> > > > > >
> > > > > > -- 
> > > > > > Regards,
> > > > > >
> > > > > > Marina
> > > > > > Microsoft SBS-MVP
> > > > > > One of the Magical M&M's
> > > > > >
> > > > > > "bobroq" <bobroq@discussions.microsoft.com> schreef in bericht
> > > > > > news:D1C4F8C1-2416-4769-99A7-B8579F269D6F@microsoft.com...
> > > > > > > I found out that i can modify this property by:
> > > > > > > Start -> Administrative tools -> DHCP
> > > > > > >
> > > > > > > then from that window going
> > > > > > > Server -> scope -> Scope Options  (and selecting configure)
> > > > > > >
> > > > > > > Then clicking router and changing the value from 192.168.1.1
to
> > > > > > 192.168.1.101
> > > > > > >
> > > > > > > Thank you for your help
> > > > > > >
> > > > > > > "bobroq" wrote:
> > > > > > >
> > > > > > > > Thank you very much for your reply...
> > > > > > > > Just to clairify:
> > > > > > > > During the install two network connections were made for me
> > > > > > > > Server Local Area Connection
> > > > > > > > Network Connection
> > > > > > > >
> > > > > > > > How exactly do I specify the Default Gateway for my clients.
I
> > have
> > > > > > DHCP
> > > > > > > > setup on the server so they are obtaining that value when I
do
> > an
> > > > > > ipconfig
> > > > > > > > /renew.
> > > > > > > >
> > > > > > > > Thank you again
> > > > > > > > Bob.
> > > > > > > >
> > > > > > > > "Marina Roos [SBS-MVP]" wrote:
> > > > > > > >
> > > > > > > > > Hi Bob,
> > > > > > > > >
> > > > > > > > > DNS on the server nic should ** only ** point to the
server
> > IP.
> > > > > > > > > The clients have a totally wrong gateway, so that is the
> > reason
> > > > they
> > > > > > are not
> > > > > > > > > able at all to browse the internet.
> > > > > > > > >
> > > > > > > > > -- 
> > > > > > > > > Regards,
> > > > > > > > >
> > > > > > > > > Marina
> > > > > > > > > Microsoft SBS-MVP
> > > > > > > > > One of the Magical M&M's
> > > > > > > > >
> > > > > > > > > "bobroq" <bobroq@discussions.microsoft.com> schreef in
bericht
> > > > > > > > > news:13C00688-EB3F-4F8A-B1D9-8AAD7038F04A@microsoft.com...
> > > > > > > > > > Server:
> > > > > > > > > > Windows IP Configuration
> > > > > > > > > >
> > > > > > > > > >    Host Name . . . . . . . . . . . . : zeus
> > > > > > > > > >    Primary Dns Suffix  . . . . . . . :
> > CertifiedGrinding.local
> > > > > > > > > >    Node Type . . . . . . . . . . . . : Unknown
> > > > > > > > > >    IP Routing Enabled. . . . . . . . : Yes
> > > > > > > > > >    WINS Proxy Enabled. . . . . . . . : Yes
> > > > > > > > > >    DNS Suffix Search List. . . . . . :
> > CertifiedGrinding.local
> > > > > > > > > >
> > > > > > > > > > Ethernet adapter Server Local Area Connection:
> > > > > > > > > >
> > > > > > > > > >    Connection-specific DNS Suffix  . :
> > > > > > > > > >    Description . . . . . . . . . . . : SMC EZ Card
10/100
> > PCI
> > > > > > (SMC1211TX)
> > > > > > > > > >    Physical Address. . . . . . . . . : 00-10-B5-9D-8B-37
> > > > > > > > > >    DHCP Enabled. . . . . . . . . . . : No
> > > > > > > > > >    IP Address. . . . . . . . . . . . : 192.168.1.101
> > > > > > > > > >    Subnet Mask . . . . . . . . . . . : 255.255.255.0
> > > > > > > > > >    Default Gateway . . . . . . . . . :
> > > > > > > > > >    DNS Servers . . . . . . . . . . . : 64.65.208.6
> > > > > > > > > >                                        64.64.196.6
> > > > > > > > > >    Primary WINS Server . . . . . . . : 192.168.1.101
> > > > > > > > > >
> > > > > > > > > > Ethernet adapter Network Connection:
> > > > > > > > > >
> > > > > > > > > >    Connection-specific DNS Suffix  . :
> > > > > > > > > >    Description . . . . . . . . . . . : SiS 900-Based PCI
> > Fast
> > > > > > Ethernet
> > > > > > > > > Adapter
> > > > > > > > > >    Physical Address. . . . . . . . . : 00-E0-06-09-55-66
> > > > > > > > > >    DHCP Enabled. . . . . . . . . . . : No
> > > > > > > > > >    IP Address. . . . . . . . . . . . : 192.168.4.101
> > > > > > > > > >    Subnet Mask . . . . . . . . . . . : 255.255.255.0
> > > > > > > > > >    Default Gateway . . . . . . . . . : 192.168.4.1
> > > > > > > > > >    DNS Servers . . . . . . . . . . . : 192.168.1.101
> > > > > > > > > >    NetBIOS over Tcpip. . . . . . . . : Disabled
> > > > > > > > > >
> > > > > > > > > > Client:
> > > > > > > > > > Windows 2000 IP Configuration
> > > > > > > > > >
> > > > > > > > > >         Host Name . . . . . . . . . . . . : apollo
> > > > > > > > > >         Primary DNS Suffix  . . . . . . . :
> > > > CertifiedGrinding.local
> > > > > > > > > >         Node Type . . . . . . . . . . . . : Hybrid
> > > > > > > > > >         IP Routing Enabled. . . . . . . . : No
> > > > > > > > > >         WINS Proxy Enabled. . . . . . . . : No
> > > > > > > > > >         DNS Suffix Search List. . . . . . :
> > > > CertifiedGrinding.local
> > > > > > > > > >
> > > > > > > > > > Ethernet adapter Local Area Connection:
> > > > > > > > > >
> > > > > > > > > >         Connection-specific DNS Suffix  . :
> > > > CertifiedGrinding.local
> > > > > > > > > >         Description . . . . . . . . . . . : SiS 900 PCI
Fast
> > > > > > Ethernet
> > > > > > > > > Adapter
> > > > > > > > > >         Physical Address. . . . . . . . . :
> > 00-0C-6E-2C-72-E5
> > > > > > > > > >         DHCP Enabled. . . . . . . . . . . : Yes
> > > > > > > > > >         Autoconfiguration Enabled . . . . : Yes
> > > > > > > > > >         IP Address. . . . . . . . . . . . : 192.168.1.10
> > > > > > > > > >         Subnet Mask . . . . . . . . . . . :
255.255.255.0
> > > > > > > > > >         Default Gateway . . . . . . . . . : 192.168.1.1
> > > > > > > > > >         DHCP Server . . . . . . . . . . . :
192.168.1.101
> > > > > > > > > >         DNS Servers . . . . . . . . . . . :
192.168.1.101
> > > > > > > > > >         Primary WINS Server . . . . . . . :
192.168.1.101
> > > > > > > > > >         Lease Obtained. . . . . . . . . . : Tuesday,
> > December
> > > > 28,
> > > > > > 2004
> > > > > > > > > > 11:15:02 AM
> > > > > > > > > >         Lease Expires . . . . . . . . . . : Wednesday,
> > January
> > > > 05,
> > > > > > 2005
> > > > > > > > > > 11:15:02 AM
> > > > > > > > > >
> > > > > > > > > > Thank you again for your help
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > "Frank McCallister SBS MVP" wrote:
> > > > > > > > > >
> > > > > > > > > > > Hi Bob
> > > > > > > > > > >
> > > > > > > > > > > Post your IPCONFIG /ALL from server and one WS
> > > > > > > > > > >
> > > > > > > > > > > -- 
> > > > > > > > > > > Frank McCallister SBS MVP
> > > > > > > > > > > COMPUMAC
> > > > > > > > > > > "bobroq" <bobroq@discussions.microsoft.com> wrote in
> > message
> > > > > > > > > > >
news:53A178B0-48E4-4D3D-ACEC-31DD6DFBAC00@microsoft.com...
> > > > > > > > > > > > haha... I kept on telling the other guy at work who
is
> > > > helping
> > > > > > me work
> > > > > > > > > on
> > > > > > > > > > > > this that the ISA server was working perfectly
(since we
> > > > can't
> > > > > > get to
> > > > > > > > > any
> > > > > > > > > > > > external websites) or we set something up wrong.
> > > > > > > > > > > >
> > > > > > > > > > > > Tomorrow when I go in I will double check to see if
we
> > > > installed
> > > > > > the
> > > > > > > > > ISA
> > > > > > > > > > > > server (sounds like we didn't)
> > > > > > > > > > > >
> > > > > > > > > > > > I guess that leads me to another question then...
what
> > could
> > > > I
> > > > > > have
> > > > > > > > > > > > configured wrong that would prevent me from
accessing
> > the
> > > > > > outside from
> > > > > > > > > my
> > > > > > > > > > > > client machines... My server can reach the internet
> > without
> > > > a
> > > > > > problem.
> > > > > > > > > > > >
> > > > > > > > > > > > Thank you for your help.
> > > > > > > > > > > > Bob.
> > > > > > > > > > > >
> > > > > > > > > > > > "Frank McCallister SBS MVP" wrote:
> > > > > > > > > > > >
> > > > > > > > > > > >> Hi Bob
> > > > > > > > > > > >>
> > > > > > > > > > > >> Did you separately Install ISA from the Premium
> > > > Technologies CD
> > > > > > > > > > > >> folllowing
> > > > > > > > > > > >> the instructions in the document on the root of
that
> > CD?
> > > > Under
> > > > > > Start
> > > > > > > > > All
> > > > > > > > > > > >> Programs it will be Listed under Microsoft ISA
Server
> > > > > > > > > > > >>
> > > > > > > > > > > >> -- 
> > > > > > > > > > > >> Frank McCallister SBS MVP
> > > > > > > > > > > >> COMPUMAC
> > > > > > > > > > > >> "bobroq" <bobroq@discussions.microsoft.com> wrote
in
> > > > message
> > > > > > > > > > > >>
> > news:D26AD5DB-1156-4673-8397-2F95FD65EE68@microsoft.com...
> > > > > > > > > > > >> >I was hoping that someone could shed some light on
a
> > > > > > configuration
> > > > > > > > > issue
> > > > > > > > > > > >> >I
> > > > > > > > > > > >> >am
> > > > > > > > > > > >> > having with my Server.  One of the things that I
> > really I
> > > > was
> > > > > > > > > really
> > > > > > > > > > > >> > hoping
> > > > > > > > > > > >> > to do when I switched to SBS was really limit
what
> > users
> > > > can
> > > > > > do
> > > > > > > > > with
> > > > > > > > > > > >> > their
> > > > > > > > > > > >> > client computers.
> > > > > > > > > > > >> >
> > > > > > > > > > > >> > Specificly I wanted to:
> > > > > > > > > > > >> > Deny their ability to browse the internet
> > > > > > > > > > > >> > Deny their ability to install their own programs
> > > > > > > > > > > >> > Deny their ability to write to any directory
besides
> > > > their my
> > > > > > > > > documents
> > > > > > > > > > > >> > folder or desktop
> > > > > > > > > > > >> >
> > > > > > > > > > > >> > I must have done something really wrong when I
> > configured
> > > > the
> > > > > > user
> > > > > > > > > > > >> > accounts
> > > > > > > > > > > >> > because at this current point in time they all
log
> > into
> > > > the
> > > > > > client
> > > > > > > > > > > >> > machines
> > > > > > > > > > > >> > with administrator privilages.  (I really do not
> > > > understand
> > > > > > why
> > > > > > > > > because
> > > > > > > > > > > >> > I
> > > > > > > > > > > >> > created the accounts with the lowest amount of
> > > > privilages -
> > > > > > using
> > > > > > > > > the
> > > > > > > > > > > >> > to
> > > > > > > > > > > >> > do
> > > > > > > > > > > >> > list add users screen)
> > > > > > > > > > > >> >
> > > > > > > > > > > >> > I started reading about group policy objects and
I
> > > > realize
> > > > > > that
> > > > > > > > > these
> > > > > > > > > > > >> > might
> > > > > > > > > > > >> > be able to help me with limit what folders they
can
> > and
> > > > > > cannot
> > > > > > > > > write
> > > > > > > > > > > >> > to.
> > > > > > > > > > > >> > I
> > > > > > > > > > > >> > was wondering if anyone had any suggestions on
exacty
> > > > what
> > > > > > policies
> > > > > > > > > I
> > > > > > > > > > > >> > can
> > > > > > > > > > > >> > set
> > > > > > > > > > > >> > to obtain my goals.
> > > > > > > > > > > >> >
> > > > > > > > > > > >> > I purchased the SBS Premium to get the ISA server
> > 2000.
> > > > This
> > > > > > has
> > > > > > > > > > > >> > worked
> > > > > > > > > > > >> > great to stop my users from browsing the
internet,
> > > > however I
> > > > > > would
> > > > > > > > > like
> > > > > > > > > > > >> > to
> > > > > > > > > > > >> > add one or two sites that they are allowed to go
to.
> > > > When I
> > > > > > went
> > > > > > > > > to do
> > > > > > > > > > > >> > this
> > > > > > > > > > > >> > today I realized that I can not (for the life of
me)
> > find
> > > > the
> > > > > > ISA
> > > > > > > > > > > >> > managment
> > > > > > > > > > > >> > console.  I know that this should be in
Start->all
> > > > > > programs->ISA
> > > > > > > > > ....
> > > > > > > > > > > >> > However
> > > > > > > > > > > >> > their is no ISA ... entry in my all programs
menu?!
> > > > > > > > > > > >> >
> > > > > > > > > > > >> > Thank you very much for any help you can offer
> > > > > > > > > > > >> > Bob.
> > > > > > > > > > > >>
> > > > > > > > > > > >>
> > > > > > > > > > > >>
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > >
> > > >
> > > >
> >
> >
> >

---

• Next message: Marina Roos [SBS-MVP]: "Re: SBS 2003 Remote desktop"
• Previous message: Marina Roos [SBS-MVP]: "Re: Best method to access 'companyweb' from intra & internet"
• In reply to: bobroq: "Re: Client Lockdown"
• Messages sorted by: [ date ] [ thread ]

---

Relevant Pages Re: Listing Users that are Part of the Local Administrator Group ... > I'm trying to find/write a script that can return the members of the Local ... > Administrator group on Win 2K/XP machines. ... > computers' local Administrator group. ... I've used a script similar to below to document the local Administrators ... (microsoft.public.scripting.vbscript) Limit domain login to Administrator Group ... winxp computers as part of the domain. ... each user is a part of their local administrator group on ... localuser2 can not login ... (microsoft.public.win2000.group_policy) Re: WSUS question/problem ... Yes, I followed all the steps, and it's still not showing any computers! ... > Go back and redo your group policy to just edit from the top domain ... > Advanced Management, expand Group Policy Management, expand Forest, expand ... Type the HTTP URL of the same WSUS server in both Set the ... (microsoft.public.windows.server.sbs) Re: How to get a single Group Policy report for entire Domain? ... Meinolf Weber ... computers have each policy in effect. ... time consuming to click every OU to expand the display so you can see ... Is there a shortcut to "expand all" so you can quickly view the ... (microsoft.public.win2000.active_directory) Re: disabling all passwords ... expand "local users and groups" ... on right side right click each user and choose reset password, ... Prev by Date: ... (microsoft.public.windows.mediacenter)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > Windows  > microsoft.public.windows.server.sbs  > 2005-01