disable net create command

  • Thread starter Thread starter santo
  • Start date Start date
S

santo

a user created a local admin account by writing a net
create batch file in wordpad and ran it creating a local
admin account. he logged on this account and then was able
to use net send. i disabled run and other functions from
the students but this was a creative way around. any
suggestions to prevent users from using the net create or
creating batch files or any other suggestion. i'm using
server 2000 and i'm ok with active dir and group policy.
clients are using windows 2000. thanks, santo
 
What was the batch file? You can not "create" an administrator account via the
operating system without already having administrator rights. Now if he can boot from
a cdrom/floppy or other device he may have used a password reset program or renamed
the sam account. --- Steve
 
batch file created is:
net user <user> <password> /add
this creates a local acct. which doesn not get the
restictions from group policy. my mistake it's not admin
acct just unrrestricted through group policy.
thanks, santo (learning in the fly)
-----Original Message-----
What was the batch file? You can not "create" an administrator account via the
operating system without already having administrator
Click to expand...
rights. Now if he can boot from
a cdrom/floppy or other device he may have used a
Click to expand...
password reset program or renamed
 
OK. Then that user must be in the power users local group on that computer.
If you do not need them to be power users, then remove them from the power
users group. However I understand certain applications may not run as a
regular user so that may not be possible.

You can disable any executable such as "net" by giving the user/group deny
ntfs permissions to the file - where ever they may be on the computer.
Unfortunately for a file like net, it is not hard for a user to copy another
instabce of it to their computer. You can use Group Policy to some degree to
prevent progrm execution keeping in mind that a user may simply be able to
rename the file. Go to user configuration/administrative templates/system to
see options to add disallowed programs and you may want to disable the
command prompt and registry editing tools while there. Disabling the command
prompt will not allow any authorized startup/logon scripts to run either.

Another thing to try is to change the user rights assignment for log on
locally. I would test this on one computer first. Add the "domaim users"
global group and remove all other groups. That should prevent a user from
logging on with a local account to try to bypass Group Policy. Good
uck. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;323525
 
Back
Top