Re: Restricted Groups - Local Users Group

Interesting. Verify that the regular user that you believe has excessive
access can run the command secedit.msc to open and edit Local Security
Policy. Double check with the command "net localgroup administrators" that
only the administrator and domainname\domain admins group is listed as
members. Then logon to the computer as the local administrator [non domain
account] to verify that the local administrators group has the SID of
BUILTIN\Administrators" S-1-5-32-544 by using the command whoami /groups
/sid. Whoami is part of the support tools. Logon as the domain user who you
believe to have excessive access and run the command whoami /user /groups to
check the group membership of his access token to see if it is what you
expect. Then run the command net group "domain admins" on a domain
controller to see if it is what you expect and remember any domain user that
is also in the domain admins group either directly or via group nesting will
be a local administrator on the domain computers. On the domain workstation
computer check the security logs for anything unusual around the time you
were logged on as a regular domain user after making sure that auditing of
logon events and account management is enabled. If still nothing seems to
explain your problem, move a domain computer into an OU that is not using
Restricted Groups and remove everyone but the built in local administrator
account from the local administrators group and then logon to that computer
as a regular domain user to see what happens. --- Steve


"jmalloney" <jmalloney@xxxxxxxxxx> wrote in message
news:%23HOv6iC0FHA.1256@xxxxxxxxxxxxxxxxxxxxxxx
>I ran all commands and the result is the same as what I see in Users and
>Groups. Everything appears to be configured correctly. Again all "domain
>users" are in the local users group only, yet anyone who logs in appears to
>have local admin rights to the pc!!
>
> "Steven L Umbach" <n9rou@xxxxxxxxxxxxxxxxxx> wrote in message
> news:ertFZGC0FHA.1256@xxxxxxxxxxxxxxxxxxxxxxx
>> Something seems to be amiss. On a computer where this is happen use the
>> command net local group administrators to see exactly what users and
>> groups are in the local administrators group and for a user in question
>> run the command net user username to see the group memberships of the
>> user named in username. If you have any questions about the results of
>> those commands post the results here in a reply. Also in Active Directory
>> Users and Groups check the membership of the domain admins group to make
>> sure it is what you expect. --- Steve
>>
>>
>>
>> "jmalloney" <jmalloney@xxxxxxxxxx> wrote in message
>> news:%23uhYMJA0FHA.1924@xxxxxxxxxxxxxxxxxxxxxxx
>>>I have used restricted groups in GP to control membership of both the
>>>local users and administrators groups. I added the "domain users" group
>>>to "Users" and "Domain Admins" group to "Administrators". The main
>>>reason I did this was that I wanted all domain users to be restricted
>>>from making system-wide changes to their local pc. The policy worked as
>>>I could see that their local groups reflected my settings at the domain.
>>>The problem is that although domain users are in the "users" group they
>>>are still able to make system-wide changes. I tested this, as a user I
>>>can make myself a local admin, delete system files...etc...
>>>
>>> In the past I never used group policy for this. I would simply open
>>> control panel, users, and add the user to the "restricted users" group.
>>> This always worked well, and prevented them from making any critical
>>> changes to the system. My understanding was that the "users" in
>>> computer management was the same as the "restricted users" group shown
>>> in control panel\users. What am I doing wrong?? I want all my domain
>>> users to be restricted through group policy!!
>>>
>>> HELP!
>>>
>>
>>
>
>


.

Relevant Pages

  • Re: Restricted Groups - Local Users Group
    ... back into restricted groups my policy worked fine. ... > access can run the command secedit.msc to open and edit Local Security ... Then run the command net group "domain admins" on ... > group nesting will be a local administrator on the domain computers. ...
    (microsoft.public.windows.group_policy)
  • Re: security problems
    ... I have installed a windows 2000 server sp4 with all updates, ... I tried this as the local administrator and the domain administartor ... Perhaps that will allow you fix things, providing you can do so from the command ...
    (microsoft.public.win2000.general)
  • RE: Remotely Manage Windows Service
    ... Your first command should have been: ... the MMC since they only get privilages over the service. ... Please note that if I make the user a local administrator, ... all services via the MMC for the server, but the netsvc command still says ...
    (microsoft.public.windows.server.general)
  • RE: Remotely Manage Windows Service
    ... Not much luck with the SC command and I can't seem to find much of any ... the MMC since they only get privilages over the service. ... Please note that if I make the user a local administrator, ... all services via the MMC for the server, but the netsvc command still says ...
    (microsoft.public.windows.server.general)
  • Re: Active Directory User Membership limit
    ... The problem is that the tokenGroups attribute is operational. ... I was hoping a command line tool like adfind or dsquery could get this ... Note that the number of security group memberships will be one greater than ... security group membership (including the "primary" group and membership ...
    (microsoft.public.windows.server.active_directory)
Loading