Re: AD and policies affecting User

From: Roger Abell [MVP] (
Date: 08/17/04

Date: Mon, 16 Aug 2004 20:08:45 -0700

Not sure what all you have going on, but here is some info.

Only admins of a machine can alter its network settings, or in
a default config install drivers.

I would strongly suggest that you define new GPOs and make
your settings there rather than in either of the default GPOs
that come with initial istall - and - this is especially true for
experiments. It is much more simple to unlink or remove a
GPO you defined than to find a setting you made in error and
need to reverse. Another reason is that they you can use the
utilities to reset the default GPOs to their default settings.

When you set something on the local machine using a GPO
setting, then the local admin cannot change that, or if they can
then it is only temporary. Hence, only apply settings that you
do want unavailable to the machine local admin.

Roger Abell
Microsoft MVP (Windows Server System: Security)
MCDBA,  MCSE W2k3+W2k+Nt4
"bucrepus" <> wrote in message 
>I have what appears to be a simple problem, but can't get it to work. I 
> a W2003 server with AD and DNS installed. I joined a W2k workstation to 
> the
> domain. I created an account on the server and can log into the domain OK. 
> I
> checked policy by removing the RUN button from the menu bar so DNS ok. I
> then set it back to normal. I need the user to be able to administer his 
> own
> machine. Install drivers / software / change TCPIP address settings
> occasionally. How can this be done. I checked the LAN properties box and 
> it
> says user doesn't have rights to view or change some of the LAN props or
> disable the connection. I made the user a local admin on his machine, 
> didn't
> work.. How can this be done without giving him admin rights in the 
> domain?.
> For that matter, I added him to the admin group on the server in Active
> Directory, didn't help. I rebooted several times. Any ideas?. I have to 
> log
> on to the w2k box with the account Administrator in the Domain to change
> network and other settings. No other account I create as a member of 
> admins
> works. Default Domain Policy is only GPO in effect I guess..??? Any help
> Apprec..

Relevant Pages

  • Re: Frage zu WSUS/GPO Settings.
    ... Also die GPOs ... unter "AU" sollten die Settings ... Sobald wir also ein Update am WSUS aproven, ... Ich würde als Erstes mal ein RSOP auf einem Server generieren. ...
  • Re: Network Properties Permission Problem
    ... the domain administrator having the issue correct? ... > The computer received "Security" settings from these GPOs: ... >>> the local workstation admin user. ...
  • Re: under a domain, how do i give users full control of their workstat
    ... There isn't an automated way to make one user a local admin of one ... means that you need to automate the things that need admin rights, ... settings that you can set on the PC. ... Is it done though Group Policies? ...
  • Re: Access 2007->SQL Server2005 "connection was forcibly closed",G
    ... As I wrote in my answer to Erland some settings on ... restart the server tonight and I'll see the result tomorrow. ... And to come back to my problem: I think with help of the SQL Server admins ... help if someone has experience in the settings of SQL Server (the admin ...
  • Re: Group Policy for hardened PCs
    ... These automatically pick up the default domain policy. ... Now when I log in as ANYBODY on the development PC [even a Domain Admin], ... the user settings for THAT PC apply. ... So, even though the Developers are admins on the local machines, because ...