Ever hear that one? Of course the problem is that some user was granted admin on their laptop and they went and did something silly with that power and then when they try to hook back up to work they realize they don’t have the necessary rights to fix it…
That seems to be a common issue in the newsgroups and my response to those folks if I respond at all is that they need to contact their admins and hopefully they learned a valuable lesson. And if admins ask how they can stop that behaviour I usually say “stop giving out admin rights!”. Of course we all know that latter item is MUCH easier to say than do with the plethora of poorly behaving apps, etc out there.
Well I was chatting with some very bright IT people this week and one of them pointed out another solution that they implemented at their company and I thought it was so slick I wanted to share it… It doesn’t block everything that could be used but it blocks the main front door that is used by most folks who hurt themselves…
Normally most folks are CLI challenged so always use the GUI to change their domain. They do this by right clicking My Computer and selecting Properties and then you get a nice dialog something like…
Then you click on the tab labeled Computer Name and see this…
Well… You can stop that dead in its tracks… The DLL that controls that tab is called c:\windows\system32\netid.dll, something I never personally had to go figure out as I am not a client person. The interesting thing is that if you lock that DLL down, you can make it so that tab doesn’t show up. So say you do something like set an ACE on the ACL of that DLL to DENY Everyone Full Control. What happens?
This is what happens
Cool huh? Front door closed. If you have a script or other process that handles all of the domain join stuff then you are all set. If you still want to let some people be able to muck with that dialog then you need to get a little more creative with the ACLing and allow some group but disallow everyone else. That is done with more intrusive ACL modifications and using passive deny instead of explicit deny.
In the location I was at, they were doing this lockdown with a GPO so it will be put back if someone figures out a way around it.
I was impressed with how simple the solution was and the fact that I hadn’t ever heard of it before.
joe
Of course, you have to be careful when applying ACLs to system files – if Microsoft (or some third party) later decides “oh, we can just call a function from netid.dll to determine what our system name is”, and uses that everywhere they access your machine’s name, you’re suddenly not working, and Microsoft, when they find out how you caused it, will declare you “in an unsupportable configuration”, making fixing it to be a consulting job at your expense.
It might not happen in this case, but think carefully before changing ACLs on Windows DLLs, and document all the changes so that you can revert them (there’s a whole nother topic – you can’t reliably revert ACLs on system files to their supportable state) before you call for support again.