Q

How do I use AD to restrict non-admin users from managing other computers on the network?

I am looking for a way to add an Active Directory security policy for disallowing users to manage other computers on the network unless they have admin rights. Any suggestions?
You actually have two solid approaches to this task: controlling remote access and controlling what a user can do once connected.

First, you can prevent users from accessing any computer over the network by locking down the user right "Access the computer from the network." By default, this right is granted to everyone, administrators, users, backup operators and power users. Remove groups that should not have privileges. For ideas on this you might refer to the security template prepared by the Center for Internet Security. You can also use the "Deny access to...

this computer from the network" right to explicitly deny groups access. This should be done in a group policy object (GPO) and linked to the organizational unit (OU) within which the computer accounts live.

Second, for those servers to which users must connect (file servers, e-mail servers, etc.), don't use these settings. Instead evaluate the group membership users have -- ordinary users are not privileged to use many tools used to manage a computer.

You can further restrict their abilities by using the Administrative Templates portion of the GPO to block view and use of common tools, such as those in Control Panel and from manipulating many settings. Spend some time investigating these settings -- you should find many that will help. You should also investigate the use of NTFS permission settings on tools and utilities to block the ability of ordinary users to run the tools. These permission settings can be set in a GPO as well.

Finally, for XP, there are software restriction policies, useful tools in preventing the use of software -- while allowing administrators to use it.

This was first published in February 2003

Dig deeper on User passwords and network permissions

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchVirtualDesktop

SearchWindowsServer

SearchExchange

Close