none
RestricT USER ACESS FOR RSAT Tools

    问题

  • Users are installing RSAT tools on windows 7, And able to view all group policies AD Administrative centre , AD users and computers and all other tools . I want this access to be restricted only to domain admins or those whom I provide access. All users are able to view all these thing in active directory . How can I restrict this access ?

    Thank you ,

    Imran .

    Sytem Admin.

    2012年6月17日 10:06

答案

全部回复

  • It seems that user have admin privelages and hence they are able to install the RSAT tool.I would recommend to remove the administrator rights and RSAT tool  from workstation/PC.Only provide admin rights to higher authorities if required and also deploy the policy to block the installation of RSAT tool.

    How do I use Group Policy to block a specific application?
    http://www.windowsitpro.com/article/tips/how-do-i-use-group-policy-to-block-a-specific-application-

    Removing Remote Server Administration Tools for Windows 7
    http://technet.microsoft.com/en-us/library/ee449483(v=ws.10).aspx#BKMK_Remove

    Hope this helps


    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    2012年6月17日 10:31
  • Hello,

    if your users are able to install RSAT tools it seems they are local admin which is BAD practice and should not be done within a domain. So why are they local admin? They should only be domain users.

    And if they are even domain/enterprise/administrators security group member, they can revert any settings you made for them.


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    2012年6月17日 14:58
  • Our organisation needs people to be local administrators for some users ,its mandatory to give them Administrator priveleges on their local machines.But .I want to restrict acess to their local computer only . not to the active directory  especially RSAT tools.So please any way TO STOP THEM .


    IMRAN.

    2012年6月17日 20:14
  • You could, in theory, block them with Applocker.  but even then, they could simply use another tool.

    your real requirment, I guess, is to prevent people enumerating data in AD.

    and the answer to that is different.    Indeed the short answer is "not really".   

    However it's not like its sensative data, so why do you feel the need to do it?  What is the business requirment you are trying to address?  

    2012年6月17日 22:54
  • Hi Imran,

    Thank you for the post.

    The RSAT is based on MMC console, so you could restrict MMC usage to achieve your goal.
    Set the policy User Configuration\Administrative Templates\Windows Components\Microsoft Management Console\Restrict users to the explicitly permitted list of snap-ins to enabled
    http://technet.microsoft.com/en-us/library/cc709697.aspx#BKMK_permittedlistdomain

    If there are more inquiries on this issue, please feel free to let us know.
     
    Regards


    Rick Tan

    TechNet Community Support

    2012年6月18日 6:14
    版主
  • You can also enable below settings for the users whom you don't want allow access of RSAT tool.

    User Configuration\Administrative Templates\System\ configure Don't run specified Windows applications to Enable, add RSAT file extension name.


    Awinish Vishwakarma - MVP - Directory Services

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    2012年6月18日 8:48
    版主
  • Thanks AWNISH ,

    I WILL TRY THIS SETTING AND INFORM YOU .ONE MORE THING -RSAT FILE EXTENSION NAME??


    IMRAN.


    2012年6月22日 11:55
  • Insert one .exe at a time in the deny list. Example, you want to deny notepad, then add Notepad.ex. Once user try to open notepad they will not be able to open it.


    Awinish Vishwakarma - MVP - Directory Services

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    2012年6月22日 11:59
    版主
  • Thanks guys , both Ricktan and Awnish answers solved my issue .Thank you guys keep up the good work.

    Awnish another thing this policy block only windows explorer , the users can start from command prompt , I believe .


    IMRAN.

    2012年6月22日 13:42
  • No, the apps will not work either he start from the explorer or cmd, it is blocked at the OS level.


    Awinish Vishwakarma - MVP - Directory Services

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    2012年6月22日 13:45
    版主
  • I cant help thinking MS are missing the point here.

    Unless I'm missing something, why should a user with local Admin rights on their workstation be able to access and AD via RSAT when they are nothing more than a Domain User on the network?

    Surely they shouldn't have access....?

    I have just discovered this on a users workstation, who had just recently been running RSAT (unauthorized) and hence stumpling on this thread.

    Rob

    2012年10月29日 13:17
  • What if I want users to be able to use RSAT, but only manage a specific OU within the forest?

    2013年2月1日 19:15