Prevents domain host access from being out of domain control and domain host access from being out of Domain
I. Introduction
When all the company's hosts are added to the domain, SA's primary task is to prevent the hosts in the domain from being out of the domain control. Let me find that the necessity of this job is a programmer. The day before, I just completed the configuration of prohibiting QQ and execution, and the next day I saw the guy chatting, it must have been logged in with the old local account.
The type of software installed in my company is complex. If you do not have the Administrator permission to run many software programs, an error is reported. You have to grant the local administrator permission to the domain account. Excessive permissions also result in a series of consequences: users can exit the domain and create local administrator accounts at will. This management method is also a challenge for SA.
Ii. Principles
Prohibit Access to management tools for users and groups. You cannot find tools for creating new local accounts. Rename the Administrator and delete all local accounts. You do not have a local account to log in; when a user creates a new account using the command line, the user is denied because the default configuration file has no access permissions. The window for exiting the domain is hidden and the user cannot find the window for exiting the domain. IP address modification is prohibited, the IP addresses of different CIDR blocks can still be set to log on, but they are out of control.
Iii. Configuration
1. The new domain group policy "prevents domain disconnections"
Start -- System Management Tools -- domain group policy
2. Prohibit Access to user and group management tools. Prevent creating a local account
3. Rename Administrator as root and delete all local accounts. Prevent logon with a local administrator
To delete a local account: Use the domain group policy release to view the user's batch processing and send the information to the shared folder of a host. After counting all accounts, then release and delete the user's batch processing.
Release batch processing, automatically executed after Account Login
Counting accounts and deleting accounts
net user>\\192.168.1.100\log\%username%.lognet user /del username
4. Set the default configuration file to reject access. New users cannot log on.
Default Configuration File: each new user will copy the configuration file from the Default template "C: \ Users \ Default" to "C: \ Users \ new user ".
Use the domain group policy to publish the script (same as above). Set C: \ Users \ Default to no permission for all Users.
cacls %SYSTEMDRIVE%\Users\Default /e /c /p everyone:N
5. Hide "computer-right-click Properties" and "Control Panel-system" to prevent users from exiting the domain
6. Prohibit IP address modification to prevent unauthorized domain control
Researching...
Server Windows Server 2012 + client Win7, test failed: http://www.cnblogs.com/sjy000/articles/4711233.html
7. Refresh the domain group policy and the configuration takes effect immediately.
Iv. Test
Restart the Win7 client to simulate the same (hai) event (zi) operations.
1. Test the user and group management tools.
2. Create a local user user2.
3. Try to exit the domain and cannot locate the operation
4. Log On with the local user user2. Logon Failed.
This article is from the "O & M cainiao. log" blog and will not be reposted!