Re: Account question

From: Victor Matei (rvf_at_bebe.moc)
Date: 05/12/03

  • Next message: Neil Ruston: "last logged on" 
    Date: Sun, 11 May 2003 23:48:11 -0400

    3 Worked perfect.
    Is there a way that user could have prevented the policy to apply to his
    machine ?

    Thank you.

    "Joe Richards [MVP]" <humorexpress@hotmail.com> wrote in message
    news:OZugssoFDHA.584@TK2MSFTNGP12.phx.gbl...
    > A couple of ways.
    >
    > 1. Don't let the local user set the group memberships of the group by
    setting the Restricted Groups. Note that you will
    > set the entire membership, you can't add or remove individual entries this
    way. So if you add users to the admin groups
    > of their own machines this is NOT the way to go.
    >
    > 2. Add a startup script for the machines. Startup scripts unlike logoon
    scripts run in the context of localsystem so
    > they can modify anything on the box. You would simply add a simple NET
    LOCALGROUP ADMINISTRATORS domain\groupname /add
    > command to add some group from the domain. This will fire any time the box
    is rebooted though after it comes up any
    > admin could remove the entries.
    >
    > 3. To do a quick takeover, set up an OU and apply a restricted group to it
    for administrators and throw the workstation
    > into it, you will set the admin group membership shortly when the GPO
    applies.
    >
    >
    >
    >
    > --
    > Joe Richards
    > www.joeware.net
    >
    > --
    >
    > "Victor Matei" <rvf@bebe.moc> wrote in message
    news:OdDe4EmFDHA.1984@TK2MSFTNGP12.phx.gbl...
    > > Suppose a user removed every account except his local username from
    their
    > > local Administrators group of their Windows XP workstation.
    > > How can administrative access be regained ?
    > > I looked into using the Restricted Groups usage in the Group policy,
    however
    > > am not familiar with this feature, apparently it does not deal with
    local
    > > groups for the workstation.
    > > Thank you for your reply.
    > >
    > >
    > > "Joe Richards [MVP]" <humorexpress@hotmail.com> wrote in message
    > > news:u75SdtcFDHA.1840@TK2MSFTNGP10.phx.gbl...
    > > > You really don't think you could because the self would only apply to
    its
    > > own object. I.E. The user and his/her own
    > > > object, a computer and its own object. When you add a user to a group
    you
    > > actually modify the member attribute of the
    > > > group.
    > > >
    > > > By default people can't add themselves to group, some access has to be
    > > given them to do it.
    > > >
    > > > What are the details of your root problem and the desired goal.
    > > >
    > > > --
    > > > Joe Richards
    > > > www.joeware.net
    > > >
    > > > --
    > > >
    > > > "Victor Matei" <rvf@bebe.moc> wrote in message
    > > news:OR736rWFDHA.1660@TK2MSFTNGP10.phx.gbl...
    > > > > How would you use the "Self" to prevent any accounts from adding
    > > themselves
    > > > > to a security group ?
    > > > >
    > > > > "Joe Richards [MVP]" <humorexpress@hotmail.com> wrote in message
    > > > > news:O9Wl5WPFDHA.432@TK2MSFTNGP12.phx.gbl...
    > > > > > Not sure if I have ever seen it documented.
    > > > > >
    > > > > > Self is literally self. If you give modify rights for the
    description
    > > > > attribute to all objects in a container and it has
    > > > > > a user named User1 and a computer named Computer1. User1 could
    modify
    > > > > description on User1 and Computer1 could modify
    > > > > > description on Computer1 but they couldn't modify each other.
    > > > > >
    > > > > > --
    > > > > > Joe Richards
    > > > > > www.joeware.net
    > > > > >
    > > > > > --
    > > > > >
    > > > > > "Victor Matei" <rvf@bebe.moc> wrote in message
    > > > > news:uZtfmgMFDHA.1548@TK2MSFTNGP12.phx.gbl...
    > > > > > > Can anyone point to a more exhaustive description and
    explanation of
    > > the
    > > > > > > "SELF" account in AD ?
    > > > > > > And an example how this is supposed to be used properly ?
    > > > > > > Thanks in advance.
    > > > > > >
    > > > > > >
    > > > > >
    > > > > >
    > > > >
    > > > >
    > > >
    > > >
    > >
    > >
    >
    >

  • Next message: Neil Ruston: "last logged on"