Re: Account question

From: Victor Matei (rvf_at_bebe.moc)
Date: 05/12/03

  • Next message: Neil Ruston: "last logged on" 
    Date: Sun, 11 May 2003 23:48:11 -0400

    3 Worked perfect.
    Is there a way that user could have prevented the policy to apply to his
    machine ?

    Thank you.

    "Joe Richards [MVP]" <humorexpress@hotmail.com> wrote in message
    news:OZugssoFDHA.584@TK2MSFTNGP12.phx.gbl...
    > A couple of ways.
    >
    > 1. Don't let the local user set the group memberships of the group by
    setting the Restricted Groups. Note that you will
    > set the entire membership, you can't add or remove individual entries this
    way. So if you add users to the admin groups
    > of their own machines this is NOT the way to go.
    >
    > 2. Add a startup script for the machines. Startup scripts unlike logoon
    scripts run in the context of localsystem so
    > they can modify anything on the box. You would simply add a simple NET
    LOCALGROUP ADMINISTRATORS domain\groupname /add
    > command to add some group from the domain. This will fire any time the box
    is rebooted though after it comes up any
    > admin could remove the entries.
    >
    > 3. To do a quick takeover, set up an OU and apply a restricted group to it
    for administrators and throw the workstation
    > into it, you will set the admin group membership shortly when the GPO
    applies.
    >
    >
    >
    >
    > --
    > Joe Richards
    > www.joeware.net
    >
    > --
    >
    > "Victor Matei" <rvf@bebe.moc> wrote in message
    news:OdDe4EmFDHA.1984@TK2MSFTNGP12.phx.gbl...
    > > Suppose a user removed every account except his local username from
    their
    > > local Administrators group of their Windows XP workstation.
    > > How can administrative access be regained ?
    > > I looked into using the Restricted Groups usage in the Group policy,
    however
    > > am not familiar with this feature, apparently it does not deal with
    local
    > > groups for the workstation.
    > > Thank you for your reply.
    > >
    > >
    > > "Joe Richards [MVP]" <humorexpress@hotmail.com> wrote in message
    > > news:u75SdtcFDHA.1840@TK2MSFTNGP10.phx.gbl...
    > > > You really don't think you could because the self would only apply to
    its
    > > own object. I.E. The user and his/her own
    > > > object, a computer and its own object. When you add a user to a group
    you
    > > actually modify the member attribute of the
    > > > group.
    > > >
    > > > By default people can't add themselves to group, some access has to be
    > > given them to do it.
    > > >
    > > > What are the details of your root problem and the desired goal.
    > > >
    > > > --
    > > > Joe Richards
    > > > www.joeware.net
    > > >
    > > > --
    > > >
    > > > "Victor Matei" <rvf@bebe.moc> wrote in message
    > > news:OR736rWFDHA.1660@TK2MSFTNGP10.phx.gbl...
    > > > > How would you use the "Self" to prevent any accounts from adding
    > > themselves
    > > > > to a security group ?
    > > > >
    > > > > "Joe Richards [MVP]" <humorexpress@hotmail.com> wrote in message
    > > > > news:O9Wl5WPFDHA.432@TK2MSFTNGP12.phx.gbl...
    > > > > > Not sure if I have ever seen it documented.
    > > > > >
    > > > > > Self is literally self. If you give modify rights for the
    description
    > > > > attribute to all objects in a container and it has
    > > > > > a user named User1 and a computer named Computer1. User1 could
    modify
    > > > > description on User1 and Computer1 could modify
    > > > > > description on Computer1 but they couldn't modify each other.
    > > > > >
    > > > > > --
    > > > > > Joe Richards
    > > > > > www.joeware.net
    > > > > >
    > > > > > --
    > > > > >
    > > > > > "Victor Matei" <rvf@bebe.moc> wrote in message
    > > > > news:uZtfmgMFDHA.1548@TK2MSFTNGP12.phx.gbl...
    > > > > > > Can anyone point to a more exhaustive description and
    explanation of
    > > the
    > > > > > > "SELF" account in AD ?
    > > > > > > And an example how this is supposed to be used properly ?
    > > > > > > Thanks in advance.
    > > > > > >
    > > > > > >
    > > > > >
    > > > > >
    > > > >
    > > > >
    > > >
    > > >
    > >
    > >
    >
    >

  • Next message: Neil Ruston: "last logged on"

    Relevant Pages

    • Re: Authenticated users to join ten machine accounts to the domain
      ... Personal i would not allow anybody to join machines to the domain. ... allow only to domain admin and Desktop support security group to add ... authenticate user from "add workstation to domain" policy under local ... but this policy is not define. ...
      (microsoft.public.windows.server.active_directory)
    • Installation policy depending on workstation version
      ... workstation version, ie, one package for 2000 machines, a different one ... The 2000 package will not operate on the XP machines, ... Is there a way for a policy to check the workstation version before ...
      (microsoft.public.win2000.group_policy)
    • Re: wheres entry for IEswitch offlinebrowsing?
      ... POLICY "WinInet Start Condition" ... workstation ... Or if US machines need any ... policy rule anywhere. ...
      (microsoft.public.win2000.registry)
    • Re: RH to Debian migration
      ... > Workstation, so they setup one RHN account, added all 10 machines and then ... I don't know about the Enterprise Workstation license, ... On your DHCP server configure it to ...
      (Debian-User)
    • Re: Client machine problems after join of SMB2003 domain
      ... the usual process for joining a workstation to the domain is: ... disjoined the client machines from Domain1 and joined them to Domain2. ... I tried to install an update to Nero 7 and got 66 ... tried to isntall as local admin and when that failed as ...
      (microsoft.public.windows.server.sbs)