Re: Deny administrator local login



In news:uQ2KqNhGGHA.376@xxxxxxxxxxxxxxxxxxxx,
Oli Restorick [MVP] <oli@xxxxxxxx> typed:
> Actually, I've implemented the deny logon locally trick on
> workstations to stop inappropriate use of accounts with domain admin
> membership.

Ah, but who would be able to effect that membership in the first place?

> Personally, I regard logging on interactively to anything
> other than a domain controller as inappropriate.

Well, I'm not that fussy about it, as long as nobody unauthorized has the
credentials & can't change group membership. It's often useful for testing.

> I wish Microsoft's
> defaults included a "Workstation admins" group, as so many admins use
> domain admin accounts on workstations. This makes it absolutely
> trivial for an employee to gain domain admin rights.

Does it?
>
> For TZanolo's information, the following KB article is the closest I
> can find to the solution, even though it describes adding rights,
> rather than removing them. It's not too much of a challenge to
> interpret the article to either remove the domain admins group from
> having the right to log on locally, or editing the deny logon locally
> privilege.
> http://support.microsoft.com/kb/285793/en-us
>
> As Miha and Lanwench have pointed out, take *great* care to ensure
> that you don't lock yourself out of the entire domain.
>
> It should also be pointed out that denying local logon also prevents
> the use of the RunAs command.
>
> Oli
>
>
> "Lanwench [MVP - Exchange]"
> <lanwench@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
> message news:%23PPQ0mVGGHA.1312@xxxxxxxxxxxxxxxxxxxxxxx
>>
>>
>> In news:%23PXXLcQGGHA.140@xxxxxxxxxxxxxxxxxxxx,
>> TZanolo <zanolo2@xxxxxxxxxxx> typed:
>>> we use a windows xp with a imaggesseter conected trought a scsi
>>> card. We need admin privileges to magane it. But we are using the
>>> domain administrator account... So only 3 people here knows its
>>> password. But now will work here a lot of people and they must
>>> operate the imaggesseter remotally. I don`t want these new people
>>> know the master password from my domain. So I will create a simple
>>> account and give to it local administrator privileges only in that
>>> machine. And everyone will know only this password.
>>
>> Sounds good.
>>
>>> I just need to "deny logon
>>> locally" to administrator account just to force my olders users
>>> don`t use its password anymore in that machine.
>>
>> Sounds bad. Just change the password so that unauthorized users
>> can't use the domain admin credentials.
>>
>>
>>>
>>>
>>>
>>> THANKS!
>>>
>>>
>>> "Miha Pihler [MVP]" <mihap-news@xxxxxxxxxxx> escreveu na mensagem
>>> news:O70AOcIGGHA.1192@xxxxxxxxxxxxxxxxxxxxxxx
>>>> Yes it is possible. Edit policy and put Administrator account in
>>>> "Deny logon locally".
>>>>
>>>> Deny logon locally
>>>> http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/537.mspx
>>>>
>>>> Note: be very careful what you do, because you _can_ lock yourself
>>>> out. Also note that administrator can bypass this policy if he/she
>>>> really
>>>> want. My question: why would you want to implement such policy?
>>>> What is your reason behind this?
>>>>
>>>> --
>>>> Mike
>>>> Microsoft MVP - Windows Security
>>>>
>>>> "TZanolo" <zanolo2@xxxxxxxxxxx> wrote in message
>>>> news:u6PUUUIGGHA.1552@xxxxxxxxxxxxxxxxxxxxxxx
>>>>> I want that the administrator can't login locally on a windows xp
>>>>> professional workstation. My server is win2k with domain. Is there
>>>>> a way?


.

Relevant Pages

  • Re: Service accounts best practices
    ... > The only people who should have domain admin rights are the exact people ... > domain admin work and it should be a very small group. ... >>>Joe Richards Microsoft MVP Windows Server Directory Services ... >>>>Can someone point me to a guide to securing service accounts? ...
    (microsoft.public.win2000.security)
  • Re: Permissions to unlock Administrator account?
    ... Use delegation for everything else. ... The Administrator accounts should have a very long, complex, password, be ... domain admin, and one for general day to day use. ... leaving only the Administrator account there (I ...
    (microsoft.public.windows.server.active_directory)
  • Re: Changing the domain password policy
    ... You could try to look into your AD event logs and check for Successful logons for the domain admin account. ... While the biggest thing to do is make sure you know your environment and what service accounts are used where, eventually you'll find yourself stuck and you just need to make the change and deal with what breaks. ... Time has come to change the domain admin password. ...
    (Security-Basics)
  • Re: Securing workstations from IT guys
    ... It sounds like you have generic domain admin accounts - I'd change that immediately, and create what are called 99 accounts. ... Change all Local Admin passwords so that even IT helpdesk/other doesn't know them. ... Is there an auditing on PC that can be enabled to track/log incoming connections to C$ and pop up and alert whenever someone tries it out from a remote machine. ...
    (Security-Basics)
  • Re: NT4 to Windows 2003 AD Migration Question
    ... You want something that can map the accounts from the source to the ... > I have around 1500 workstations, a couple hundred servers. ... > seems most tools want domain admin on the AD side as well. ... We are tasked with building the OU from scratch, so SID history ...
    (microsoft.public.windows.server.active_directory)