Re: Local Admin w/o network rights

From: pittspeed (turbovw18_at_hotmail.com)
Date: 06/29/04 

Date: Tue, 29 Jun 2004 15:20:39 -0400

thanks for the reply... that really wouldn't work, mainly because we have
over 500 pc's and aren't going to hit them all...

i know that i'm on the right path, i just don't understand the restricted
groups enough, wish i could find whitepapers on the subject.

"Jody Riding" <jriding@fishnetsecurity.com> wrote in message
news:229a201c45e0d$4b569dd0$a601280a@phx.gbl...
> one way you could do it is to add that group to the local
> admin group on each pc but don't add them to any domain
> group or domain user group. They would be able to login
> locally but when they try to login to the domain they
> wouldn't have correct credentials
>
> Hope that helps in what you are trying to do. Excuse the
> misspellings.
>
>
> >-----Original Message-----
> >i made a post yesterday on how to implement a GPO for a
> 'desktop admin' that
> >could work on a local machine but have no network
> access.... since i've
> >followed the steps of creating the security group 'desktop
> admin' with local
> >admin rights.... then i added a user to the member of
> desktop admin...
> >
> >then i went to my current administrator GPO and added the
> restricted user as
> >outlined in this responce
> >
> > "For example, to add a domain group to the power users
> group (local
> >only):
> >
> >Load a GPO and navigate to Computer Configuration\Windows
> Settings\Security
> >Settings\Restricted Groups
> >
> >Right-click and choose add.
> >
> >Enter Power Users (don't use Browse)
> >
> >Double-click on Power Users (once it's been added) and add
> the new group
> >Desktop Admins to the 'Members of this group' section.
> >
> >Upon policy refresh, the new group will be added to the
> local power users
> >groups on local PCs"
> >
> >after a reboot and policy refresh my user has full network
> rights and is
> >wide open in all aspects. So i did something incorrectly,
> do you have any
> >suggestions?
> >
> >i was thinking about it and created a new org. unit with a
> new GPO and did
> >the restricted user and still, the user has full blown
> rights. I'm
> >confused... any insight?
> >
> >thanks in advance.
> >
> >
> >.
> >

Relevant Pages

  • Error possibly related to local admin rights
    ... I applied a GPO to an OU with 2 machines one with admin ... For machine with Admin rights he got the update Perfect!!! ... I click the options and YES it is installing ...
    (microsoft.public.windowsupdate)
  • Re: GPO problem - now access denied
    ... Which GPO? ... some settings to undefined ?, ... Yes, I am an admin with full rights and I can net share, net ...
    (microsoft.public.windowsxp.security_admin)
  • Re: ACL on GPO link
    ... prevent them from unlinking your GPO. ... The gpLink attribute is monolithic in that each link ... A person who can manage links everywhere is aswell an admin ... ... I conclude that you cannot prevent an AD administrator from ...
    (microsoft.public.windows.group_policy)
  • Re: "Files Stored on this Computer"
    ... I managed to create a restricted user ... because the admin was created as "default" when I ... the only folders visible to LimitedUser1 are: ...
    (microsoft.public.windowsxp.basics)
  • Re: Manually added user rights assignments
    ... Are you attempting to set this is a GPO of AD that is applied ... OU (containing the servers) not to the domain and are ... Also, if you have TS installed in admin mode on W2k, or you ... > Have been trying to add the buit-in Admin accounts of my members servers ...
    (microsoft.public.windows.group_policy)