Re: Manually added user rights assignments

Tech-Archive recommends: Fix windows errors by optimizing your registry

From: Harrison Blackwood (HarrisonBlackwood_at_discussions.microsoft.com)
Date: 10/06/04 

Date: Wed, 6 Oct 2004 13:23:02 -0700

Roger,

     Am following the Windows 2003 Server Security Guide. The page I am
refering to is p. 144 "Additional Security Settings". On p. 145 there are
instructions for manually adding security groups to the "Deny access to this
computer from the network."

     There is talk in this section about adding the built-in admin to this
policy and that is what I am trying to do.

Regards,

Harrison

     
"Roger Abell" wrote:

> I like Mark are confused at how you are trying to do this.
> Are you attempting to set this is a GPO of AD that is applied
> onto the server, or to do this in the member's Local Security
> Policy ? If via AD GPO you are using a GPO linked to an
> OU (containing the servers) not to the domain (right?) and are
> entering Administrators rather than selecting it with the GUI?
> Also, are your members W2k or W2k3 ? With W2k3 you
> can use the policy to disable the Administrator account to
> make the built-in Administrator (however renamed) only of
> use for a non-normal boot (recovery, safe mode, ...).
> Also, if you have TS installed in admin mode on W2k, or you
> have W2k3, you would want to remember to also take control
> over use of a TS login by the account(s).
> --
> Roger Abell
> Microsoft MVP (Windows Server System: Security)
> MCSE (W2k3,W2k,Nt4) MCDBA
> "Harrison Blackwood" <HarrisonBlackwood@discussions.microsoft.com> wrote in
> message news:C469D2C1-EF33-4288-A70F-A9C3C170D40A@microsoft.com...
> > Have been trying to add the buit-in Admin accounts of my members servers
> to
> > Computer Configuration\Windows Settings\Security Settings\Local
> > Policies\User Rights Assignment\Deny access to this computer from the
> network.
> >
> > Thus far have been unable to.
> > 1. Tried logging on to the members servers using the Domain Admin account
> > and then adding the local admins to the policy. Was unable to access the
> > local built-in account to add it to the policy.
> > 2. Tried logging in as the built-in admin, but was then unable launch the
> > ADUC.
> >
> > Would someone please tell me what it is I am missing or not grasping?
> >
> > Thank you,
> >
> > Harrison
>
>
>

Relevant Pages

  • Re: The local policy of this system does not permit you to logon i
    ... Security policies were propagated with warning. ... Error 0x534 occurs when a user account in one or more Group Policy objects ... I have checked the security policies & the administrator profile is not ...
    (microsoft.public.windows.server.sbs)
  • Re: GPO Update Problem (SYSVOL access via UNC)
    ... > Server Security and Auditing Policy ... > This list only includes links in the domain of the GPO. ... > The settings in this GPO can only apply to the following groups, users, ...
    (microsoft.public.win2000.group_policy)
  • Re: Group Policy is now inhibiting the Administrator account
    ... under Group Policy Objects - those are the individual GPOs. ... You can apply any given GPO to one or more OUs, ... I use all of the default security in SBS, ... log on to the server with your own account. ...
    (microsoft.public.windows.server.sbs)
  • Re: lockdown desktop without Group Policy
    ... Group Policy settings. ... Logon as an administrator ... Right-click on the GroupPolicy folder and Properties - Security ... and enter "Edit Group Policy" for the name ...
    (microsoft.public.windows.terminal_services)
  • Re: computer policy
    ... Just log in as an admin, then use the security dialog ... Now log off and back on, remove the Deny, and then ... > I am the administrator ona xp pro machine, ... > a policy that was meant for the users that just use the ...
    (microsoft.public.windowsxp.security_admin)