How to Prevent Cusrmgr.exe for Selected Servers...

G

Guest

Hi

We have a number of logon scripts that are executed anytime someone logs in to the domain. One of these, uses the current logon user's access (all of our users are local admins to their own machine) to add certain domain groups (domain-admin, help, etc.) to the local Administrators groups

Because of security concerns, our DBAs would like to prevent this from happening on selected Windows 2000 and 2003 servers. Rather than putting conditional statements in the scripts and having the DBAs constantly visit Network Engineers anytime a change is needed, I was hoping there was a way to allow the DBAs to block the process via some local policy setting on each server. The DBAs are Administrators on the servers they manage

Any ideas

Thanks
 
S

Steven L Umbach

If that logon script is configured via Group Policy/user configuration then you could
try putting those computers in their own OU with it's own GPO and configure "loopback
processing" at the computer level. What that does is when a user logs onto a computer
with loopback processing, the user configuration for the OU that the computer is in
is applied to the user instead of their usual user configuration in a merge or
replace mode. See the link below for more details. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;231287

John said:
Hi.

We have a number of logon scripts that are executed anytime someone logs in to the
Click to expand...
domain. One of these, uses the current logon user's access (all of our users are
local admins to their own machine) to add certain domain groups (domain-admin, help,
etc.) to the local Administrators groups.
Because of security concerns, our DBAs would like to prevent this from happening on
Click to expand...
selected Windows 2000 and 2003 servers. Rather than putting conditional statements in
the scripts and having the DBAs constantly visit Network Engineers anytime a change
is needed, I was hoping there was a way to allow the DBAs to block the process via
some local policy setting on each server. The DBAs are Administrators on the servers
they manage.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Users should not shutdown or restart servers 2
Anyway to Copy Local User/Groups between Windows 2003 Servers 1
Hardening Member Servers 2
Domain Controller Administration 4
local account admin has access to other PC's if admin password is 4
Remove domain admins from local admins group on specific servers 6
Ports Required for client authentication to AD 2
Changing process priorities of normal users 3

Top