Re: can built-in user rights be changed?

From: Steven L Umbach (n9rou@attbi.com)
Date: 04/04/03

• Next message: Steven L Umbach: "Re: Block AOL Inst. Messenger???"
• Previous message: mike: "Network Monitor ?"
• In reply to: Brian: "can built-in user rights be changed?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: "Steven L Umbach" <n9rou@attbi.com>
Date: Fri, 04 Apr 2003 02:28:21 GMT

       No all rights are not defined by security policy, though a limited
number can be changed. Be careful when changing any user rights,
particularly when using the deny right. Remember that administrators are
part of the everyone and user groups. Many people have posted here how they
locked themselves out of a machine. Domain and any OU group policy applied
to a machine will override local policy settings. It is recommended not to
modify domain/domain controller group policy, but to implement an additional
policy for needed changes. That way if things go wrong it is easy to go back
to default policy. Always document changes and do not do too many at once to
make troubleshooting easier - particularly security options. --- Steve

http://windows.stanford.edu/docs/defaultgroups.htm
http://www.labmice.net/ActiveDirectory/default.htm
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
issues/W2kCCSCG/default.asp

"Brian" <dugas@cox.net> wrote in message
news:f3646aa3.0304031706.36530936@posting.google.com...
> What defines the rights given to a built-in user account, i.e.
> Administrtor, Domain User?
>
> I'm assuming that all rights aren't defined by Policies, b/c
> Administrators and Domain Users both log in under the 'Default Domain
> Policy' and yet, they have different rights. I could be wrong though,
> I'm still in the beginner stage of Network knowledge and security.
> Are there any good articles that someone could point me too? Thanks.
> Brian

---

• Next message: Steven L Umbach: "Re: Block AOL Inst. Messenger???"
• Previous message: mike: "Network Monitor ?"
• In reply to: Brian: "can built-in user rights be changed?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Local Group Recursion, Creation, and GP ... I have hundreds of embedded systems spread across a college campus. ... administer them largely by Group Policy. ... requireing Admin rights for their software to run. ... We made both of these members of Administrators (so they could run the ... (microsoft.public.windows.group_policy) Re: Failed to open Group Policy Object ... all have appropriate rights (full control for administrators and domain ... Also if I look at the policy container in ADSIedit and their is no ... "Todd J Heron" wrote: ... > This posting is provided "as is" with no warranties and confers no rights ... (microsoft.public.windows.server.active_directory) Re: Admin policy limit problem ... Add your account to the Administrators built in group. ... If you are already a member of this group open the Local Security Policy. ... This posting is provided "as is" with no warranties and confers no rights. ... Please do not send e-mail directly to this alias. ... (microsoft.public.win2000.group_policy) Force Periodic Authentication ... contents of the local Administrators group. ... etc. So we came up with a web form that employees can use ... expire the elevated rights after the given time frame, ... the group policy will refresh on the local PC. ... (microsoft.public.windows.group_policy) Re: access denied for administrator accounts ... or when you try to actually change a policy ... >> in your AD on modifying policies? ... "Group policy error, You ... affecting both normal users and Administrators. ... (microsoft.public.windows.terminal_services)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(15)