Active Directory

What is the easiest way to lock an lower level administrator
from using the PC via Active Directory? 

When disabling a computer what else can be done with out
having to block the IP address or MAC to make sure the PC
does not get on the network and or changed the computer
name?

Without having more detail, I would say that you could use a
combination of
user permissions and user-level group policy. It's hard to
say more than
that without knowing exactly what it is that you want to
restrict them from
doing. As a rule, you should look to grant
permissions/policies that give
them the bare minimum they need to perform their job
functions.

Devin

-----Original Message-----
From: listbouncesecurityfocus.com [mailto:listbouncesecurityfocus.com] On
Behalf Of wjbox1-guardyahoo.com
Sent: Thursday, August 30, 2007 2:19 AM
To: focus-mssecurityfocus.com
Subject: Active Directory

What is the easiest way to lock an lower level administrator
from using the
PC via Active Directory? 


When disabling a computer what else can be done with out
having to block the
IP address or MAC to make sure the PC does not get on the
network and or
changed the computer name?

It sounds to me like you may have issues with rights
delegation.  Ideally
you should not be using the administrators group to assign
permissions to
perform specific tasks.  Instead, you should use domain
based groups that
have been assigned specific AD rights or specific localized
privileges.  For
example, if you have someone involved in your web
applications that should
have admin on the 10 servers for web apps but not for any
other server in
the organization, you construct a group called "IT -
WebApp Admins" which is
by default assigned no rights at the AD level.  You login to
the 10 servers
or whatever that make up the administrative scope for this
privilege and
assign this new group administrator rights locally.

This can be more time consuming to implement but is a far
more granular
implementation of rights in the long term.

Now as far as specifically locking out an administrator
irregardless of
admin rights that may already be assigned is through one of
two methods.
Either the local security policy (pre-vista) or the
assignment of security
policy through a GPO (nearly any windows OS in a domain
environment).  You
need to deny logon locally and/or deny logon through the
network.  The only
other thing you need to consider here is that your RDP
rights assignment for
a given machine may include blanket permissions for
administrators group.
You will want to look at that.

As far as disabling a computer is concerned, are you looking
to physically
disable it so it will not turn on or simply remove it from
network use?  At
the present time, I am guessing the latter but in either
case there is no
way to authoritatively do either without moving beyond
MS/Windows
environment and work on the network switch.  In a Server
2008 environment
with appropriate hardware, the answer for the latter is
excersizing Network
Access Protection (NAP) which one would hope was already in
your network
infrastructure.

NAP: http://technet.microsoft.com/en-us/network/bb545879.aspx
 

Wayne S. Anderson
http://www.l
inkedin.com/in/wayneanderson


-----Original Message-----
From: listbouncesecurityfocus.com [mailto:listbouncesecurityfocus.com] On
Behalf Of wjbox1-guardyahoo.com
Sent: Thursday, August 30, 2007 12:19 AM
To: focus-mssecurityfocus.com
Subject: Active Directory

What is the easiest way to lock an lower level administrator
from using the
PC via Active Directory? 

When disabling a computer what else can be done with out
having to block the
IP address or MAC to make sure the PC does not get on the
network and or
changed the computer name?