Re: Adding domain users as local XP administrators...

From: Spock (spock9999_at_yifan.net)
Date: 07/16/04 

Date: Fri, 16 Jul 2004 12:00:12 -0400

Can I do this in a live environment? I.e. Make a new OU, move the
computer accounts into it, create the new GPO and set my policy?

Thank you.

-Spock

"Roger Abell" <mvpNOSpam@asu.edu> wrote in message
news:ufqJLvzaEHA.1248@TK2MSFTNGP11.phx.gbl...
> Delete that Restrict Group definition
> You do not want to do such in any GPO linked at either
> the Domain level or the Domain Controllers OU level.
> You need to do that in a GPO that is linked to an OU
> which contains the machines where you do want the
> Restricted Group definition to be effective.
>
> --
> Roger Abell
> Microsoft MVP (Windows Server System: Security)
> MCSE (W2k3,W2k,Nt4) MCDBA
> "Spock" <spock9999@yifan.net> wrote in message
> news:OBP50WqaEHA.4092@TK2MSFTNGP11.phx.gbl...
> > Hi. I am trying the suggestion that I have seen on the web where you can
> > create a restricted group policy in the domain policy that will
> > automatically add "domain users" as a member of the local administrators
> > group of whatever machine a person logs on to so that any domain user
will
> > have full rights to the local machine.
> >
> > I am editing the default domain group policy, going into computer
> > configuration -> windows settings -> security settings -> restricted
> groups,
> > adding a new group called "administrators" and adding "domain users" to
> it.
> >
> > It seems to work fine. Any domain user that logs on to any XP PC in the
> > domain has full rights to the local machine.
> >
> > HOWEVER, I found a big problem. On the actual domain controller server,
> > "domain users" is also a member if ITS OWN local administrators group!
> Even
> > if the folder security prevents a user from accessing a particular
folder
> on
> > the server, that user can actually right-click that folder, go to
security
> > and add themselves! Then they have full rights!
> >
> > How do I prevent the server itself from receiving the restricted groups
> > policy?????
> >
> > Thank you very much.
> >
> >
> > -Spock
> >
> >
> >
>
>

Relevant Pages

  • Re: Restricted Group Policy not working in timely manner
    ... Security policy is an ... > the GPO has changed. ... > cycle by modifying this policy: ... >> policy to remove the user from the restricted group. ...
    (microsoft.public.windows.group_policy)
  • Re: Group policy still applying even though disable on domain
    ... And all of the policy ... The default gpo had many settings configured ... and have built a new gpo and am applying it specifcally on the computer OU ... and Analysis tool to make some changes to the local machine as part of ...
    (microsoft.public.win2000.security)
  • Restricted Group Policy not working in timely manner
    ... We have defined "Domain Admins" as a restricted group in the Default ... Domain Policy GPO. ... A normal GPUPDATE will not do ... GPO Refresh Frequency has not been modified from default settings. ...
    (microsoft.public.windows.group_policy)
  • Re: Restricted Group Policy not working in timely manner
    ... > the GPO has changed. ... > cycle by modifying this policy: ... >> We have defined "Domain Admins" as a restricted group in the Default ... >> GPO Refresh Frequency has not been modified from default settings. ...
    (microsoft.public.windows.group_policy)
  • Re: Restricted Group Policy not working in timely manner
    ... a GPO will not be processed if it has not changed since the last ... cycle by modifying this policy: ... The problem is that if we add someone to the> restricted group it can take well over a couple hours for the policy to ... A normal GPUPDATE will not do> anything, but a "GPUPDATE /FORCE" ran on a DC does work to force the> policy to remove the user from the restricted group. ...
    (microsoft.public.windows.group_policy)