AD domain revocation domain user Administrator permissions Scheme

First, Introduction

Most of the company's host domain has been a period of time, because a software does not have administrator rights can not be executed, so the administrator rights have not been revoked, can not fully realize the management effect of the domain. But at least the domain user can not get rid of the domain control: http://www.cnblogs.com/sjy000/p/4713389.html.

After revoking the administrator, all users join the Power Users group, and only the supervisor is still the Administrators group. The Power Users group has normal access to all local resources, cannot install software, modify the registry, modify TCP/IP, modify the computer, and so on. When a colleague modifies a computer's settings, it applies to SA, the SA uses an administrator account to log in, and the installation software is installed by using the full path of the batch input program, and the batch process uses the RunAs command, which allows a normal user to execute the program as an administrator. Software management methods can also be deployed using Domain Group Policy.

There is also a domain Group Policy script that performs identity issues that need to be addressed. The Domain Group Policy script is executed as a logged-on user, and the user identity is only part of the Power Users group and cannot be enforced when the script's commands involve modifying the system settings. You also have to use the RunAs command to resolve the original script as an administrator.

Second, the server configuration

1, domain user revoke local administrator, prohibit local user login

Administrators group members are set to only domain domains Admins,power users and the Users group are only users.

This setting also has additional effect bonus-Local users cannot log on because these users no longer belong to these three local groups.

2. Run RunAs once on the client, save the administrator's password

Domain test.com, Administrator account Administrator.

The/ENV option indicates that the current environment is running; The/savecred option indicates that the password is saved once after execution.

runas/env /savecred/user:test\administrator calc.exe

3. The runas command points to the Domain Group Policy old script, which executes as administrator

runas/env /savecred/user:test\administrator \192.168. 1.100\bat\old.bat

After using RunAs, the batch process will run and beautify the window.

Title XX company System Management script color 1Fecho configuration, do not close ... Command >%temp%\result.tmpdel%temp%\result.tmp:: Hide execution results  

4, write batch processing, SA run, install the software tools

Executes after the full path of the program is entered.

@echo Offcolor 1Ftitle Administrator Echo  /Pa=/env /savecred/user:test\administrator%a%

Software bat to exe Converter converts batches to EXE programs, preventing users from viewing commands.

Third, client testing

1. Perform a RunAs save administrator password

2. Attempt to modify IP, create account, modify system settings, install software

3. Try the old local Administrator account login

4. SA uses batch processing to help colleagues install software

This article is from "Operation and maintenance rookie. Log" blog, declined reprint!

AD domain revocation domain user Administrator permissions Scheme