Re: Why Are Domain users in the admin Group.

From: Gordon Fecyk (gordonf_at_pan-am.ca)
Date: 05/24/04 

Date: Sun, 23 May 2004 23:00:00 -0500

> Currently the admin's group contains the domain users goup
> is this correct? It dosent see that it should be setup
> this way.

I agree with Paul there - huge security issue.

First, which Admins group? The local "Administrators" group on the client
machines? On the DC? On some other server? SIDWALK from the Windows 2000
Support Tools will help you find out.

Some folks like to make a domain's Domain Users group a member of all of the
stations' Administrators group because otherwise broken software doesn't
work. I usually hit these folks with a big, painful stick and then redo
their security for them.

> If i remove the domain users group from the
> admin's group, my users lose their profiles when they log
> in. What chould be the problem / fix?? Any ideas???

Oh geez, and the local directory permissions are messed up, too.

The original directory permissions for C:\Documents And Settings are:

Local Administrators: Full Control
Everyone, Users and Power Users: Read, Read and Execute, List Folder
Contents
SYSTEM: Full Control

The Default User folder inherits these permissions and also has the Hidden
flag turned on.

The All Users folder has a copy of these (rather than inheriting them)
except Power Users have additional rights (Everything except Change
Permissions and Take Ownership).

All other folders have Administrators, SYSTEM, and the owning user having
Full Control.

See if resetting these helps restore profile access to limited users.

Ownership of these doesn't seem to make a difference - I have a couple of
limited users on my home Win2K machine and their profile folder's owner is
Administrators (the local group). As long as each user has Full Control
over their own profile folder they should be able to use it.

One more thing though: Does a brand new user - one who's never had a profile
on that machine before - have the same difficulty? 

-- 
PGP key (0x0AFA039E): <http://www.pan-am.ca/consulting@pan-am.ca.asc>
What's a PGP Key?  See <http://www.pan-am.ca/free.html>
GOD BLESS AMER, er, THE INTERNET. <http://vmyths.com/rant.cfm?id=401&page=4>

Relevant Pages

  • RE: Problems with permissions on users roaming profile
    ... sure that you back up all of the users data and info within the profile (just ... Everyone - Full Access Share permission on this folder and subfolders ... Administrator and Administrators - Full Control NTFS on this folder ...
    (microsoft.public.windows.server.general)
  • RE: Roaming Profiles prevent Folder redirect from working
    ... When you use the Roaming Profile and Folder ... CREATOR OWNER: Full Control ... 38069059-Roaming Profiles prevent Folder redirect from working. ...
    (microsoft.public.windows.server.sbs)
  • Re: Terminal Services Profiles problems
    ... hidden administrative share that only administrators can access. ... > a folder on the D: ... > profile, I add the path to this location in the Terminal Services Profile ... I've messed up the security on these folders. ...
    (microsoft.public.windows.server.security)
  • Re: TS User Profile Folders Not Being Created
    ... Users" was the only group and it was set to full control. ... The NTFS permissions were not an issue. ... Control, so that users not only can create their profile folder, ...
    (microsoft.public.windows.terminal_services)
  • Re: roaming profile on XP workstation
    ... You may need to take ownership first by selecting properties/security/advanced ... properties/security and give administrators full control. ... so i believe it must be a corrupt profile effecting the others. ... > I created a new folder and gave admin and the user permission and set this ...
    (microsoft.public.win2000.networking)