Re: Where is Local Group Assignment Stored?

---

• From: "Will" <westes-usc@xxxxxxxxxxxxxx>
• Date: Mon, 5 Mar 2007 22:12:32 -0800

---

"Joe Richards [MVP]" <humorexpress@xxxxxxxxxxx> wrote in message
news:uiMWd06XHHA.3996@xxxxxxxxxxxxxxxxxxxxxxx

It is in the SAM and the SAM is part of the registry. Doesn't matter
though, direct manipulation of any of that is absolutely unsupported.
Use the published API.

If you boot from Windows PE, would the API you need to remove a user from a
local group be provided?

The requirement came up because Windows 2000 AD doesn't let you disable the
BUILTIN Administrator. We wanted to add it to groups that would have deny
privileges on file system and registry, as well as entry in the Deny login,
Deny batch, and Deny service user rights in GPO. The effectively disables
it. And we would have other accounts used for AD administration that have
tighter security on them (Logon Locally restrictions, do not allow
delegation, and eventually smartcard requirement).

Now if we do all of those things to the BUILTIN Administrator, I guess those
Deny groups are actually domain groups and not true "Local" groups. If the
AD becomes corrupt and you need to boot the computer in AD recovery mode,
then I guess the Administrator would no longer be in any of the Deny groups
so those are entities that only exist when the domain entities are
available? If so, then I guess the situation is somewhat self healing and
the BUILTIN administrator becomes a usable account when you are in AD
recovery mode.

I would still like to have a Windows PE or Barts PE disk that has a program
that lets me change local group assignments. At very least I could fight
against a denial of service that puts any account into a group whose purpose
is to deny access to resources.

--
Will


.

---

• Follow-Ups:
  • Re: Where is Local Group Assignment Stored?
    • From: Roger Abell [MVP]

• References:
  • Where is Local Group Assignment Stored?
    • From: Will
  • Re: Where is Local Group Assignment Stored?
    • From: Joe Richards [MVP]

• Prev by Date: Re: Export Current Settings to Template - Solved
• Next by Date: Re: Where is Local Group Assignment Stored?
• Previous by thread: Re: Where is Local Group Assignment Stored?
• Next by thread: Re: Where is Local Group Assignment Stored?
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: How to make Forth interesting? ... trying to deny that I wrote and distributed lots of software ... I think GUI is a good example. ... Humm, Windows Forth ... to the flash files etc. to create flash images for the target ... (comp.lang.forth) Re: (OT:) If the Earth is heating up, why am I freezing my @$$ off? ... None of us can deny the Glaciers in Illinois melted before any greenhouse ... notice they aren't the least bit concerned about pollution in China, India, ... I would have to at least roll the windows down and still ... (alt.autos.toyota) Re: Deny whole C? ... If what you say was in fact done, and there is a Deny to ... Everyone on the system/boot partition, ... Microsoft MVP (Windows Server System: ... anymore. ... (microsoft.public.windowsxp.security_admin) Re: Need help with program restrictions and links ... DO NOT use DENY on the Users Group. ... All users on the computer are members of this group, so Deny would apply to all users. ... Disable Simplified Sharing and Password-Protect a Shared Folder in Windows XP ... (microsoft.public.windowsxp.security_admin) new LOR? ... Happens on boot with serial console: ... Timecounters tick every 1.000 msec ... ipfw2 initialized, divert loadable, rule-based forwarding enabled, default to deny, logging disabled ... (freebsd-current)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(12)