Re: Adding domain users as local XP administrators...

From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 07/16/04 

Date: Fri, 16 Jul 2004 06:51:44 -0700

Delete that Restrict Group definition
You do not want to do such in any GPO linked at either
the Domain level or the Domain Controllers OU level.
You need to do that in a GPO that is linked to an OU
which contains the machines where you do want the
Restricted Group definition to be effective. 

-- 
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCSE (W2k3,W2k,Nt4)  MCDBA
"Spock" <spock9999@yifan.net> wrote in message
news:OBP50WqaEHA.4092@TK2MSFTNGP11.phx.gbl...
> Hi. I am trying the suggestion that I have seen on the web where you can
> create a restricted group policy in the domain policy that will
> automatically add "domain users" as a member of the local administrators
> group of whatever machine a person logs on to so that any domain user will
> have full rights to the local machine.
>
> I am editing the default domain group policy, going into computer
> configuration -> windows settings -> security settings -> restricted
groups,
> adding a new group called "administrators" and adding "domain users" to
it.
>
> It seems to work fine.  Any domain user that logs on to any XP PC in the
> domain has full rights to the local machine.
>
> HOWEVER, I found a big problem.  On the actual domain controller server,
> "domain users" is also a member if ITS OWN local administrators group!
Even
> if the folder security prevents a user from accessing a particular folder
on
> the server, that user can actually right-click that folder, go to security
> and add themselves! Then they have full rights!
>
> How do I prevent the server itself from receiving the restricted groups
> policy?????
>
> Thank you very much.
>
>
> -Spock
>
>
>

Relevant Pages

  • RE: basic / domain authentication
    ... Since the domain users are local administrators on the box, ... Short of removing the Log on Locally ... right for the local administrators group, ... Internet Information Server ...
    (microsoft.public.inetserver.iis.security)
  • Re: make one group a member of another
    ... one would do this on the Pro machine and there add the ... > and add domain users to the administrators local group. ... You want to avoid making users local administrators ... >> windows 2000 server on certain PCs a member of the local admin group of ...
    (microsoft.public.win2000.security)
  • Adding domain users as local XP administrators...
    ... create a restricted group policy in the domain policy that will ... I am editing the default domain group policy, ... adding a new group called "administrators" and adding "domain users" to it. ... "domain users" is also a member if ITS OWN local administrators group! ...
    (microsoft.public.windowsxp.security_admin)
  • Adding domain users as local XP administrators...
    ... create a restricted group policy in the domain policy that will ... I am editing the default domain group policy, ... adding a new group called "administrators" and adding "domain users" to it. ... "domain users" is also a member if ITS OWN local administrators group! ...
    (microsoft.public.windowsxp.setup_deployment)
  • Re: Least amount of privileges
    ... It depends on what the domain users group has for permissions. ... Does this third party program have a service account that runs the app for ... moving this app off of your sql server and put it on a seperate server. ...
    (microsoft.public.windows.server.active_directory)
Loading