Re: Default Users properties

From: Steven Umbach (n9rou_at_n0spam-comcast.net)
Date: 01/31/04 

Date: Sat, 31 Jan 2004 01:43:23 GMT

They can connect, but can not do much as a regular user. The main thing you can
do to prevent access to other servers is to disable their ability to use
Computer Management via Group Policy user configuration/administrative
templates/Windows components/Microsoft Management Console/restricted&permitted
snapins. You can also control access to other computers in the domain by using
ipsec policies and modifying the user rights assignments for access this
computer from the network and deny access to this computer form the network. Do
not change those user rights on domain controllers however, or a user may not be
able to logon to the domain. Be careful when applying Group Policy because if
you apply it at the domain level it will also apply to administrators unless you
give them deny permissions to apply in the GPO security policies which is
referred to as "filtering" policy. --- Steve

"Pat" <htech@hotmail.com> wrote in message
news:gsol10lgshk9dtcbnb57grjd830jnif8u7@4ax.com...
> If I create a new user and it is only a member of the domain users, I
> log on with that user and can connect to a server thru computer
> management . where would it pick up these rights, i want to remove
> them.
>
> On Fri, 30 Jan 2004 22:01:16 GMT, "Steven L Umbach"
> <sumbach@nospam-ameritech.net> wrote:
>
> >The administrator, domain admins, and enterprise admins have everything but
> >full control, system has full control, authenticated users has read,
> >everyone has change password, and if present the pre-2000 group has read.
> >You can also use the dsacls /s command to reset any object or container back
> >to default settings as defined in the schema if need be. Be very careful
> >changing any AD permissions and document/test well as you can prevent users
> >from changing passwords, prevent administrators from modifying Group Policy,
> >prevent Group Policy from applying to users, etc. --- Steve
> >
> >http://support.microsoft.com/default.aspx?scid=kb;en-us;281146
> >
> >"Pat" <htech@hotmail.com> wrote in message
> >news:vo6l10tdutfvfmhu02u8ftic3c319qhvfh@4ax.com...
> >> Running W2K with AD, what are the default Security settings for the
> >> User folder in AD?
> >
>

Relevant Pages

  • Re: Delegation dilemma
    ... That will spread the security control over a group of people ... your SMS and MOM servers are going to be member servers. ... SMSAdmins in the local administrators group of the SMS Primary and Secondary ...
    (microsoft.public.windows.server.active_directory)
  • Re: Admin / Domain Admin rights problem
    ... From what I can tell it looks like subinacl shows that administrators ... have full control of HKLM. ... Group Policy but it should show in Domain Controller Security Policy if SBS ... > Detailed Access Flags: ...
    (microsoft.public.win2000.security)
  • Re: Terminal Server GPO Issue
    ... servers that is not in the OU where the GPO is supposed to be applied and I ... Microsoft Windows Operating System Group Policy Result tool v2.0 ... Sharepoint Auth GPO ... Event Log Settings ...
    (microsoft.public.windows.server.active_directory)
  • Re: IMPACT of (Delegation Control of Group Policy) on Active Direc
    ... GPOs applied on DCs and Servers ... Health of active Directory and DCs since unSYSTEM Engineer is having ... Actually my MAIN CONCERN is that how would delegating control of Group ... Policy to SUPPORT Engineer affect health of active directory?? ...
    (microsoft.public.windows.server.active_directory)
  • Re: dns administration delegation
    ... Allow site_DNSadmin group to FULL control Computer Configuration\Windows ... Executed dnsmgmt.msc and added one of the dns servers. ... additional permissions that grant unnecessary rights. ...
    (microsoft.public.windows.server.dns)