General discussion


Workgroup access to Domain

By jeanmansour ·
I have Windows 2003 server (AD)installed and runing and i have noticed that if someone knew the user name and password of of a domain user will be able to access my network having all the assigned rights to this user. Does anyone know how to fix this issue.

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

by BFilmFan In reply to Workgroup access to Doma ...

Of course they can authenticate to domain resources using the correct password for a user account.

The solution is to implement stronger security.

Exactly what made you think that someone could not authenticate as a user if they had the correct password?

Collapse -

by HAL 9000 Moderator In reply to Workgroup access to Doma ...

If this is an internal issue then the only remedy is to remove all users from the Group. What you are seeing is exactly what is supposed to happen when a user logs into the Domain they get to see what rights have been granted to them.

You could setup in a Group Policy that only a user with a certian IP Address can log onto the system but that would mean instigating Static IP Address and then writing a policy for each workstation to prevent another workstation loging on as a different user to what it has been address as. That would work but it might cause you quite a few problems when you replace any workstations as you would have to reestablish the IP addresses for the new Hardware and rtewqrite the rules as the new workstations come on line.

However if this is from an external source you have to do something to lock the system down much better than it currently is.

As you are already running 2003 I would be looking at running ISA on top of that and some form of router that is constantly kept up to date to prevent outside interference.

The foillowing sites will be of assistance.

Lets know if you want any more.


Collapse -

by XT John In reply to Workgroup access to Doma ...

If the computer is joined onto the domain, then anyone with an AD profile can sit down, enter their user name, password and log onto the domain. If a non-domain computer tries to join your domain, they will be stopped and asked for the admin name/password in order to join the domain. If I understand your question, someone with access to your domain, has gotten hold of a user name and password, probably not theirs, that has more rights than they should. I would disable the account they're using inappropriately, give the proper user a new name/password, and tell then to guard it well.

Collapse -

by sgt_shultz In reply to Workgroup access to Doma ...

well, changing the password is too obvious even for sgt...
have your users sign something that says they understand it is their responsibility to protect their password. consider setting allowed login times only during the working day. consider allowing users local login rights only on the computer they normally use...and limit the users rights pretty all i can offer.

Collapse -

by w2ktechman In reply to Workgroup access to Doma ...

I would go with the first 2 answers. The third, although it will work is extra unneccesary steps. You dont need to disable and re-create a user account, all you should need to do is to reset the PW. Giv the proper user the new PW, and inform them that they should not give it out to anyone under any situation.

Related Discussions

Related Forums