AD domain revoking the domain user administrator permission scheme, ad domain
I. Introduction
Most of the company's hosts have been added to the domain for some time. Because a software cannot be executed without the Administrator permission, the Administrator permission has not been revoked and the domain management effect cannot be fully realized. However, at least domain users cannot leave the domain: http://www.cnblogs.com/sjy000/p/4713389.html.
After the Administrator is revoked, all Users are added to the Power Users Group. Only the supervisor is in the Administrators group. The Power Users Group can normally access all local resources, and cannot install software, modify the registry, modify TCP/IP, and modify computers. When a colleague modifies the computer settings, he applies to SA. SA is modified after logging on with the administrator account. When the software is installed by SA, he uses the full path of the batch Input Program and starts installation, the batch processing uses the runas command to allow common users to execute programs as administrators. You can also use domain group policies to deploy software management.
There is also a question about the identity of the domain group policy script execution. The domain group policy script is executed as the login user, and the user identity only belongs to the Power Users Group. When the script command involves modifying system settings, it cannot take effect. In this case, you must use the runas command to execute the original script as an administrator.
Ii. Server Configuration
1. Domain Users cancel local administrators and prohibit local users from logging on
The members of the Administrators group are set to Domain Admins only, and the Power Users and Users groups only have Domain Users.
This setting also has an additional effect bonus-local users cannot log on because these users no longer belong to these three local groups.
2. Run runas once on the client and save the administrator password.
Domain TEST. COM, administrator account.
The/savecred option indicates saving the password after execution. The/noprofile option indicates that the user's configuration file is not loaded, and the path cannot be found for some hosts without this option.
runas /savecred /noprofile /user:TEST\administrator calc.exe
3. the runas command points to the old script of the domain group policy and runs it as an administrator.
runas /savecred /noprofile /user:TEST\administrator \\192.168.1.100\bat\old.bat
After runas is used, the batch processing will run in a window for beautification.
Title XX Company System Management script color 1 Fecho configuration, do not close... command> % temp % \ result. tmpdel % temp % \ result. tmp: Hide the execution result
4. compile tools for batch processing and running and installing software on SA
Enter the complete path of the program and run it.
@echo offcolor 1Ftitle Administratorecho.set /p a=Enter the programme path: runas /savecred /noprofile /user:TEST\administrator %a%
pause
The software Bat To Exe Converter converts the batch processing To the exe program and disallows users To view commands.
Iii. Client Testing
1. Run runas once to save the administrator password.
2. Try to modify IP address, create account, modify system settings, and install software
3. Try logging on with the old local administrator account
4. SA uses batch processing to help colleagues install software
This article is from the "O & M cainiao. log" blog and will not be reposted!