P
Pat
Running W2K with AD, what are the default Security settings for the
User folder in AD?
User folder in AD?
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an alternative browser.
You should upgrade or use an alternative browser.
S
Steven L Umbach
The administrator, domain admins, and enterprise admins have everything but
full control, system has full control, authenticated users has read,
everyone has change password, and if present the pre-2000 group has read.
You can also use the dsacls /s command to reset any object or container back
to default settings as defined in the schema if need be. Be very careful
changing any AD permissions and document/test well as you can prevent users
from changing passwords, prevent administrators from modifying Group Policy,
prevent Group Policy from applying to users, etc. --- Steve
http://support.microsoft.com/default.aspx?scid=kb;en-us;281146
full control, system has full control, authenticated users has read,
everyone has change password, and if present the pre-2000 group has read.
You can also use the dsacls /s command to reset any object or container back
to default settings as defined in the schema if need be. Be very careful
changing any AD permissions and document/test well as you can prevent users
from changing passwords, prevent administrators from modifying Group Policy,
prevent Group Policy from applying to users, etc. --- Steve
http://support.microsoft.com/default.aspx?scid=kb;en-us;281146
P
Pat
If I create a new user and it is only a member of the domain users, I
log on with that user and can connect to a server thru computer
management . where would it pick up these rights, i want to remove
them.
log on with that user and can connect to a server thru computer
management . where would it pick up these rights, i want to remove
them.
S
Steven Umbach
They can connect, but can not do much as a regular user. The main thing you can
do to prevent access to other servers is to disable their ability to use
Computer Management via Group Policy user configuration/administrative
templates/Windows components/Microsoft Management Console/restricted&permitted
snapins. You can also control access to other computers in the domain by using
ipsec policies and modifying the user rights assignments for access this
computer from the network and deny access to this computer form the network. Do
not change those user rights on domain controllers however, or a user may not be
able to logon to the domain. Be careful when applying Group Policy because if
you apply it at the domain level it will also apply to administrators unless you
give them deny permissions to apply in the GPO security policies which is
referred to as "filtering" policy. --- Steve
do to prevent access to other servers is to disable their ability to use
Computer Management via Group Policy user configuration/administrative
templates/Windows components/Microsoft Management Console/restricted&permitted
snapins. You can also control access to other computers in the domain by using
ipsec policies and modifying the user rights assignments for access this
computer from the network and deny access to this computer form the network. Do
not change those user rights on domain controllers however, or a user may not be
able to logon to the domain. Be careful when applying Group Policy because if
you apply it at the domain level it will also apply to administrators unless you
give them deny permissions to apply in the GPO security policies which is
referred to as "filtering" policy. --- Steve
P
Pat
thank you for the response
They can connect, but can not do much as a regular user. The main thing you can
do to prevent access to other servers is to disable their ability to use
Computer Management via Group Policy user configuration/administrative
templates/Windows components/Microsoft Management Console/restricted&permitted
snapins. You can also control access to other computers in the domain by using
ipsec policies and modifying the user rights assignments for access this
computer from the network and deny access to this computer form the network. Do
not change those user rights on domain controllers however, or a user may not be
able to logon to the domain. Be careful when applying Group Policy because if
you apply it at the domain level it will also apply to administrators unless you
give them deny permissions to apply in the GPO security policies which is
referred to as "filtering" policy. --- Steve