Re: Account question
From: Joe Richards [MVP] (humorexpress_at_hotmail.com)
Date: 05/10/03
- Next message: Eric Chamberlain: "Re: CA web component problems"
- Previous message: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]: "Re: print over the internet?"
- In reply to: Victor Matei: "Re: Account question"
- Next in thread: Victor Matei: "Re: Account question"
- Reply: Victor Matei: "Re: Account question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 9 May 2003 20:29:06 -0400
A couple of ways.
1. Don't let the local user set the group memberships of the group by setting the Restricted Groups. Note that you will
set the entire membership, you can't add or remove individual entries this way. So if you add users to the admin groups
of their own machines this is NOT the way to go.
2. Add a startup script for the machines. Startup scripts unlike logoon scripts run in the context of localsystem so
they can modify anything on the box. You would simply add a simple NET LOCALGROUP ADMINISTRATORS domain\groupname /add
command to add some group from the domain. This will fire any time the box is rebooted though after it comes up any
admin could remove the entries.
3. To do a quick takeover, set up an OU and apply a restricted group to it for administrators and throw the workstation
into it, you will set the admin group membership shortly when the GPO applies.
-- Joe Richards www.joeware.net -- "Victor Matei" <rvf@bebe.moc> wrote in message news:OdDe4EmFDHA.1984@TK2MSFTNGP12.phx.gbl... > Suppose a user removed every account except his local username from their > local Administrators group of their Windows XP workstation. > How can administrative access be regained ? > I looked into using the Restricted Groups usage in the Group policy, however > am not familiar with this feature, apparently it does not deal with local > groups for the workstation. > Thank you for your reply. > > > "Joe Richards [MVP]" <humorexpress@hotmail.com> wrote in message > news:u75SdtcFDHA.1840@TK2MSFTNGP10.phx.gbl... > > You really don't think you could because the self would only apply to its > own object. I.E. The user and his/her own > > object, a computer and its own object. When you add a user to a group you > actually modify the member attribute of the > > group. > > > > By default people can't add themselves to group, some access has to be > given them to do it. > > > > What are the details of your root problem and the desired goal. > > > > -- > > Joe Richards > > www.joeware.net > > > > -- > > > > "Victor Matei" <rvf@bebe.moc> wrote in message > news:OR736rWFDHA.1660@TK2MSFTNGP10.phx.gbl... > > > How would you use the "Self" to prevent any accounts from adding > themselves > > > to a security group ? > > > > > > "Joe Richards [MVP]" <humorexpress@hotmail.com> wrote in message > > > news:O9Wl5WPFDHA.432@TK2MSFTNGP12.phx.gbl... > > > > Not sure if I have ever seen it documented. > > > > > > > > Self is literally self. If you give modify rights for the description > > > attribute to all objects in a container and it has > > > > a user named User1 and a computer named Computer1. User1 could modify > > > description on User1 and Computer1 could modify > > > > description on Computer1 but they couldn't modify each other. > > > > > > > > -- > > > > Joe Richards > > > > www.joeware.net > > > > > > > > -- > > > > > > > > "Victor Matei" <rvf@bebe.moc> wrote in message > > > news:uZtfmgMFDHA.1548@TK2MSFTNGP12.phx.gbl... > > > > > Can anyone point to a more exhaustive description and explanation of > the > > > > > "SELF" account in AD ? > > > > > And an example how this is supposed to be used properly ? > > > > > Thanks in advance. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > >
- Next message: Eric Chamberlain: "Re: CA web component problems"
- Previous message: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]: "Re: print over the internet?"
- In reply to: Victor Matei: "Re: Account question"
- Next in thread: Victor Matei: "Re: Account question"
- Reply: Victor Matei: "Re: Account question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
