Re: Computer Management Security Problem

From: Paul Adare - MVP - Microsoft Virtual PC (padare_at_newsguy.com)
Date: 07/28/04 

Date: Wed, 28 Jul 2004 05:26:44 -0400

In article <FBA54439-EE5A-4BA4-8758-663657A38370@microsoft.com>, in the
microsoft.public.win2000.security news group, =?Utf-8?B?RGF2ZSBXLg==?=
<DaveW@discussions.microsoft.com> says...

> All users are part of the "Domain Users" group which belongs to the "Adminstrators" group in the GP loaded into each users PC. This gives them the required privileges on their own PC but does not give them domain administrator privileges.
>

So, you're using Restricted Groups in Group Policy to add the Domain
Users group to the Administrators group? And I'm betting that you're
either using the Default Domain GPO or a GPO at the domain level to
enforce this? This is your problem right here.

By using a GPO at the domain level and specifying that Domain Users are
members of a group called Administrators, not only are you adding Domain
Users to the local Administrators group on your workstations, you're
also adding Domain Users to the Administrators group on your Domain
Controllers!!!

There are a number of ways to fix this:

1. Make sure that all affected workstations are in an OU (not the
default Computers container as that is not an OU) and then create a GPO
with your restricted groups setting that only applies to the
workstations.
2. If you insist on using a domain level GPO for this, modify the
Default Domain Controllers GPO to not include Domain Users in the
Administrators group.

You've done this to yourself and has nothing specifically to do with the
security right you're mentioning. The only reason Domain Users have that
right is because you've made them Administrators on your domain
controllers. 

-- 
Paul Adare
This posting is provided "AS IS" with no warranties, and confers no
rights.

Relevant Pages

  • Re: Restricted group functionality
    ... Is it possible with that GPO? ... that the computer account objectin question are located in an OU ... as a member of the local Administrators group. ... making use of the Restricted Groups can be a bit more difficult ...
    (microsoft.public.windows.group_policy)
  • Re: Restricted group functionality
    ... That is part of the beauty of this GPO. ... It simply changes the default behavior of the Restricted Groups GPO from ... sure that the computer account objectin question are located in an OU ... as a member of the local Administrators group. ...
    (microsoft.public.windows.group_policy)
  • Re: Administering OUs
    ... IF You set this settings in ... >GPO on the OU level and then define in this GPO that in ... DOmain Admins can be a member of local administrators group ... restricted groups are proper solution for this problem. ...
    (microsoft.public.win2000.active_directory)
  • Re: Administrators Group in Local Users and Groups
    ... Create the gpo in the ou where the Computers reside, ... > administrators group, but it won't let me browse outside the active ... >>> I am trying to find out how to add in the domain group Account ... >>> each workstations administrator group. ...
    (microsoft.public.windows.server.active_directory)
  • impact of xp gpo on w2k
    ... I created a gpo that sets restricted groups within the local pc ... placed in the local administrators group. ... i changed restricted groups. ...
    (microsoft.public.win2000.group_policy)