Re: Desktop Admin - HELP

From: ptwilliams (ptw2001_at_hotmail.com)
Date: 06/29/04 

Date: Wed, 30 Jun 2004 00:01:24 +0100

I'm thinking that what's happening is that you're adding these users to the
domain administrators group -or worse, just the domain local admins group
which gives them admin control on DCs only.

I'm a little worried that I may have mislead you - the example I gave works
because there isn't a domain power users group. I can't try this at the
moment, but does the .\Administrators work? After all, that's how Windows
displays a local account over a domainName\AccName... 

-- 
Paul Williams
_________________________________________
 http://www.msresource.net
Join us in our new forums!
  http://forums.msresource.net
_________________________________________
"pittspeed" <turbovw18@hotmail.com> wrote in message
news:eMoud5fXEHA.4000@TK2MSFTNGP09.phx.gbl...
i've made all the changes that were outlined in that website, and all the
changes that were given to me by the previous poster.  I've applied the
restricted group in my GPO and refreshed my policy and all should be good...
well
i log into a fresh machine and pull down the user info... i double click on
network and microsoft network and my entire LAN is there... then i double
click on my servers and all my shares are there... then i type \\server\c$
and here is the root.
so it's not properly working... i created the group desktop admin with only
local admin rights... i have them in the admin org unit, but they are a
restricted group, so i don't know why this isn't working for me.
adversely, the 'my computer' icon is no where to be found, and i can't
enable it using XP... i also can't change the 'mode' of the start menu from
classic to XP... so i'm wondering if i goofed something up... i'm rechecking
my steps...
ALSO, i created a brand new GPO to use, and it had the same results...
please advise...
thank you.
"pittspeed" <turbovw18@hotmail.com> wrote in message
news:umrUnGVXEHA.3664@TK2MSFTNGP12.phx.gbl...
> thanks guys... i was on the right track but was caught up on the GPO
part...
>
> i'm sort of ashamed i didn't just think of this... try not to tell anyone
:p
>
> "Chriss3" <noSpamHere@chrisse.se> wrote in message
> news:%23Q6Wy5UXEHA.808@tk2msftngp13.phx.gbl...
> > This article describes what Paul means
> > http://www.chrisse.se/MAQB.asp?ID=29
> >
> > -- 
> > Regards
> > Christoffer Andersson
> >
> > No email replies please - reply in the newsgroup
> > ------------------------------------------------
> > http://www.chrisse.se - Active Directory Tips
> >
> > "ptwilliams" <ptw2001@hotmail.com> skrev i meddelandet
> > news:upAmzrUXEHA.4000@TK2MSFTNGP09.phx.gbl...
> > > The way to do this is make the desktop admins domain users and a
member
> of
> > a
> > > new group, i.e. desktop admins and add the desktop admins group to the
> > local
> > > admins group of local machines via the restricted groups policy.
> > >
> > >
> > > -- 
> > >
> > > Paul Williams
> > > _________________________________________
> > >  http://www.msresource.net
> > >
> > > Join us in our new forums!
> > >   http://forums.msresource.net
> > > _________________________________________
> > > "pittspeed" <turbovw18@hotmail.com> wrote in message
> > > news:%23DAXSnUXEHA.4032@TK2MSFTNGP11.phx.gbl...
> > > Hello,
> > >
> > >     i would like to hear your suggestions on how to properly make a
> > desktop
> > > admin group policy that would be for a lower level admin to install
and
> > > configure the local machine, but give no network access?
> > >
> > >     i was poking around and can make one up that would limit the
ability
> > to
> > > hit a network resource, but there are always tricks around that, like
> the
> > $
> > > in a unc path for instance, so i'm trying to figure out the best
> > bulletproof
> > > way.
> > >
> > > Thanks in advance for your responces.
> > >
> > >
> > >
> >
> >
>
>

Relevant Pages

  • RE: [Full-Disclosure] DCOM RPC exploit (dcom.c)
    ... I am a Techie Admin who is in management. ... the product, source it, install it, fix it, Admin it, everything except ... Then they had to retrofit the network. ... best work on our network and the purchased the right equipment, ...
    (Full-Disclosure)
  • Re: Security: VPN or RWW
    ... There is also an inherent flaw in 'port limited VPN', most people would want 'Windows File Sharing' to work, there goes a big hole that many viri use for vector. ... For all its current problems, it's possible to use it pretty well continuously without logging on as an admin, which I've never been able to do with XP. ... When all the network resources are concentrated in the server, either really or virtually, then nobody needs network browsing, nobody needs to have the same 'view' of the network locally and remotely. ... Whatever kind of encrypted remote link is used, connects from a single application at the remote end, not from the machine as a whole. ...
    (microsoft.public.windows.server.sbs)
  • RE: Draytek Router Passwords
    ... As you log in to the router's admin web page, of course you give it to the ... consultant can simply sniff the admin's password. ... network, whether it was possible for him to sniff your internal network, ... Subject: Draytek Router Passwords ...
    (Security-Basics)
  • Re: Linux client in Windows Domain (Security Advice)
    ... The user using the linux machine is part of our IT team and has full admin rights on the system as he would generally act as a back up to me in my absence. ... The machine should never have been introduced to the network in the first place however it was introduced when I was on leave with the backing of the head of IT who was not aware of the possible issues. ...
    (microsoft.public.windows.server.sbs)
  • Re: Port 119 blocked at work and I want it opened
    ... >>> unless you or your ISP configure your own news server or the ISP ... >> server can access port 119 on you home network. ... > d/l files, images, porn, etc... ... it's just a matter of how an admin goes about it. ...
    (comp.security.firewalls)