|In this expert advice collection, networking security expert Wes Noonan shares his advice on some popular domain management and Group Policy questions. Visit Wes's entire archive of advice and see if he has already answered a question specific to your networking needs or even ask him a question of your own.|
Preventing domain users from accessing every server on the network
How can I prevent a domain user or computer from accessing all servers on the network? I only want them to be able to access one server.
One effective method of doing this would be to add the user to a group that you create (for example Server A Users) and then remove them from the domain users group. Next, make the group that you created a member of the appropriate local groups on the server to grant them the level of access you desire. For example, if you want them to be just a regular user, you can add the global group to the local "Users" group.
Preventing domain admins from logging onto domain controllers
How can I prevent certain users who are domain administrators from logging onto domain controllers?
That depends on the kind of user they are. If they are a member of a group that grants them rights on domain controllers (for example, Domain Admins) there really isn't a way to do that. If your domain is small enough, you could specify the list of computers they are allowed to login to, excluding the domain controllers, but I think this would rapidly become unmanageable (every time you add a computer, potentially you need to update the list of computers they can login to) as well as being rendered ineffective if the users in question are domain admins (they can always come in behind you and undo it).
Now, assuming that this is not a domain admin, the ability to logon to a domain controller is defined in the Default Domain Controllers Group Policy. You can view this by right clicking on the Domain Controllers OU in Active Directory Users and Computers and selecting "Properties". Click on the "Group Policy" tab, select the policy and click "Edit". Navigate using the Group Policy Object Editor to the following branch:
Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment
In the right hand window, look for either "Log on locally" or "Allow Logon Locally" (it differs depending on which version of Windows you are using). Double click on the policy and add/remove users from that list accordingly and check the box next to "Define these policy settings:" to define who will be allowed to logon locally. By default, the following accounts/groups can logon locally to domain controllers:
- Account Operators
- Backup Operators
- Print Operators
- Server Operators
- Corresponding Internet Users (IUSR_
As always, rather than directly editing the Default Domain Controllers Group Policy, you should create a new group policy object with the settings you want. Also, be advised that changing the default settings can cause unexpected and potentially damaging results to your systems.
Implement Group Policies on a mixed domain
I am trying to do Group Policies on a mixed domain (WK2000 and WK2003 servers) with Win2000 and WinXP Pro machines. How can I do this? I am having problems with the existing policies.
One method that I would consider is to use OU specific group policy objects and group your computers in the appropriate OUs. One of the most important aspects of Active Directory design that I think has been frequently overlooked is to ensure that you design your AD structure to accommodate what you want to do with group policy.
Determining and applying account policies
If you have two domains on your network that are located at the same physical site and you want to implement an account policy that requires passwords of at least eight characters and should meet complexity requirements -- do you apply the account policy setting at the site? What account policies should you use?
You would need to apply the account policy separately on each domain. Even though the group policy MMC snap-ins will display the "Password Policy" branch for OU's and sites, you can only define the password policy at the domain level. This is because there can only be a single password policy in a given Active Directory, which effectively means that you can only define it at the domain level. Also, just as a note regarding best practices, rather than modifying the default domain policy, you should go ahead and create an additional group policy object with the password policy settings that you want to apply.
This was first published in July 2006