disable net create command

  • Thread starter Thread starter santo
  • Start date Start date
S

santo

a user created a local admin account by writing a net
create batch file in wordpad and ran it creating a local
admin account. he logged on this account and then was able
to use net send. i disabled run and other functions from
the students but this was a creative way around. any
suggestions to prevent users from using the net create or
creating batch files or any other suggestion. i'm using
server 2000 and i'm ok with active dir and group policy.
clients are using windows 2000. thanks, santo
 
What was the batch file? You can not "create" an administrator account via the
operating system without already having administrator rights. Now if he can boot from
a cdrom/floppy or other device he may have used a password reset program or renamed
the sam account. --- Steve
 
batch file created is:
net user <user> <password> /add
this creates a local acct. which doesn not get the
restictions from group policy. my mistake it's not admin
acct just unrrestricted through group policy.
thanks, santo (learning in the fly)
-----Original Message-----
What was the batch file? You can not "create" an administrator account via the
operating system without already having administrator
Click to expand...
rights. Now if he can boot from
a cdrom/floppy or other device he may have used a
Click to expand...
password reset program or renamed
 
OK. Then that user must be in the power users local group on that computer.
If you do not need them to be power users, then remove them from the power
users group. However I understand certain applications may not run as a
regular user so that may not be possible.

You can disable any executable such as "net" by giving the user/group deny
ntfs permissions to the file - where ever they may be on the computer.
Unfortunately for a file like net, it is not hard for a user to copy another
instabce of it to their computer. You can use Group Policy to some degree to
prevent progrm execution keeping in mind that a user may simply be able to
rename the file. Go to user configuration/administrative templates/system to
see options to add disallowed programs and you may want to disable the
command prompt and registry editing tools while there. Disabling the command
prompt will not allow any authorized startup/logon scripts to run either.

Another thing to try is to change the user rights assignment for log on
locally. I would test this on one computer first. Add the "domaim users"
global group and remove all other groups. That should prevent a user from
logging on with a local account to try to bypass Group Policy. Good
uck. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;323525
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Net Use Problem 2
Windows 7 Post Recovery Issues 4
wierd batch file behavior 3
win 2000 password problem 1
Power User Privilages XP/2000 7
net user 2
How to create a TCP/IP port without admin 2
disable net user on local machine 2

Back
Top