Re: Effective Rights

From: Keith W. McCammon (km_at_km.com)
Date: 01/30/04

• Next message: Loui Arena: "Change Power User rigths"
• Previous message: Vishal Agarwal[MSFT]: "Re: how do I export a certificate to x.509?"
• In reply to: Pat: "Re: Effective Rights"
• Next in thread: Pat: "Re: Effective Rights"
• Reply: Pat: "Re: Effective Rights"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 30 Jan 2004 14:24:43 -0500

So your domain users are members of the domain admin group? If that's what
you're describing that is highly unusual.

"Pat" <htech@hotmail.com> wrote in message
news:0m2l10hsrc4h7eq58je55vcu3d21quh6dg@4ax.com...
> Keith,
> I notice a normal user account can remote manage me server, they are
> part of the usersdomanin users grp and our group policy group. What
> might I look at to see where they are picking up the rights to do
> this. I looked in the security tab of the domain users and
> Administrator and domain admins are there, if I create a new user the
> same security is applied. is this normal?
> On Fri, 30 Jan 2004 11:06:00 -0500, "Keith W. McCammon" <km@km.com>
> wrote:
>
> >Do you want to determine rights for a user, or for a computer? You need
to
> >make that determination first.
> >
> >There are a few resource kit tools that allow you to view group
membership
> >and group policy results:
> >
> >global.exe
> >gpresult.exe
> >perms.exe
> >
> >Some of this can also be done with cacls and xcacls.
> >
> >"Pat" <htech@hotmail.com> wrote in message
> >news:khrk105elqnqma6tspt3t26bt7uih58ak6@4ax.com...
> >> is there a command line option to run on a user workstation to find
> >> out thier effective rights on our domain?
> >
>

• Next message: Loui Arena: "Change Power User rigths"
• Previous message: Vishal Agarwal[MSFT]: "Re: how do I export a certificate to x.509?"
• In reply to: Pat: "Re: Effective Rights"
• Next in thread: Pat: "Re: Effective Rights"
• Reply: Pat: "Re: Effective Rights"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Prevent Users interactive login, but allow them to run batch j ... That user is member of "Domain Users" group. ... on Locally) But the second setting "Log on as batch job" has no effect. ... but that the account needs something else. ... Domain Users as well as Authenticated Users are made members ... (microsoft.public.win2000.security) Re: users have gray hair in Domain Users group ... The members of domain users group in both of the tree domains have ... when I use the below script to enumerate the membership of the ... domain users group in each of the domains, ... any reasons why I cannot enumerate the Domain Local group? ... (microsoft.public.win2000.active_directory) Re: simple distribution lists? ... list members change, someone has to go into ADUC and add/delete/reconfigure, ... > However, if you want to internal users send email to a distribution list, ... > the persons in the list are unnecessary to be domain users or contacts. ... Open outlook. ... (microsoft.public.windows.server.sbs) Re: Can this be done without affecting current configuration ... group so it only belong to the nondomainuser group. ... is able to access the shared folder without problem. ... the members in the domain users group which is something I don't want. ... (microsoft.public.windows.server.security) Re: Prevent Users interactive login, but allow them to run batch j ... needed for this account to run the job without being an admin. ... on Locally) But the second setting "Log on as batch job" has no ... Domain Users as well as Authenticated Users are made members ... (microsoft.public.win2000.security)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint