Re: Manually added user rights assignments

From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 10/06/04 

Date: Wed, 6 Oct 2004 07:19:41 -0700

I like Mark are confused at how you are trying to do this.
Are you attempting to set this is a GPO of AD that is applied
onto the server, or to do this in the member's Local Security
Policy ? If via AD GPO you are using a GPO linked to an
OU (containing the servers) not to the domain (right?) and are
entering Administrators rather than selecting it with the GUI?
Also, are your members W2k or W2k3 ? With W2k3 you
can use the policy to disable the Administrator account to
make the built-in Administrator (however renamed) only of
use for a non-normal boot (recovery, safe mode, ...).
Also, if you have TS installed in admin mode on W2k, or you
have W2k3, you would want to remember to also take control
over use of a TS login by the account(s). 

-- 
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCSE (W2k3,W2k,Nt4)  MCDBA
"Harrison Blackwood" <HarrisonBlackwood@discussions.microsoft.com> wrote in
message news:C469D2C1-EF33-4288-A70F-A9C3C170D40A@microsoft.com...
> Have been trying to add the buit-in Admin accounts of my members servers
to
> Computer Configuration\Windows Settings\Security Settings\Local
> Policies\User Rights Assignment\Deny access to this computer from the
network.
>
> Thus far have been unable to.
> 1. Tried logging on to the members servers using the Domain Admin account
> and then adding the local admins to the policy. Was unable to access the
> local built-in account to add it to the policy.
> 2. Tried logging in as the built-in admin, but was then unable launch the
> ADUC.
>
> Would someone please tell me what it is I am missing or not grasping?
>
> Thank you,
>
> Harrison

Relevant Pages

  • Re: How to disallow GPO to run on Windows servers
    ... is a specific ID for doing admin things. ... $joe id, the $joe is the ID that has admin rights to log into servers and such ... the admin IDs are in an OU that doesn't have a GPO applied. ...
    (microsoft.public.win2000.active_directory)
  • Re: Windows 2008 Network Level Authentication
    ... temporarily block inheritance on all domain-wide GPOs on the OU ... Terminals Servers, properly licensed and set up in a round-robin ... Using either the local GPO and Disabling the Network Level ... Authentication turned completely off, and remain so. ...
    (microsoft.public.windows.terminal_services)
  • Re: Terminal Server GPO Issue
    ... servers that is not in the OU where the GPO is supposed to be applied and I ... Microsoft Windows Operating System Group Policy Result tool v2.0 ... Sharepoint Auth GPO ... Event Log Settings ...
    (microsoft.public.windows.server.active_directory)
  • Re: GP/OU Problem/Question
    ... Create OU & GPO for the TS: ... Right click 'Terminal Servers' OU, ... Ensure that TestUser1 is a member of Domain Users & Remote Desktop ... Make the Security group member of RDU. ...
    (microsoft.public.windows.terminal_services)
  • Re: Loopback Policy Not Taking Effect
    ... Have you rebooted your servers yet? ... Terminal Servers in the OU ... loopback GPO to the "Terminal Servers" OU but to the OU that holds my TS ... ad TS Lockdown Policy and assigned them mostly Computer ...
    (microsoft.public.windows.terminal_services)