Re: Thoughts around GPO for disabling local administrator only
- From: "neo [mvp outlook]" <neo@xxxxxxxxxxxxxxx>
- Date: Sun, 14 May 2006 06:50:31 -0700
In your tests, where did you attach this new Group Policy object to disable
the local administrator account? The reason that I ask is that I can see it
not working if attaching at site or domainDNS level, but it should work if
applying to the built-in "computers" container or any OU that contains the
member workstation/servers but not domain controllers.
"Björn Johansson" <BjrnJohansson@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:14F558EA-EFF1-405E-9289-07E7CD955B09@xxxxxxxxxxxxxxxx
Hello,
DC's: 2003 SP1
Servers: 2000 and 2003
Clients: 2000
I would like to through Group Policy disable all LOCAL administrator
accounts on clients, but leave the domain\administrator intact. This
because
I suspect that the password has been compromised and I now use a
Restricted
Groups with segmented admins.
I've searched and tested myself without any luck. This is what I tried:
1. Administrator Account Status - also disables domain\administrator, I
need
that account enabled because we are using a lock out policy (cannot be
changed). If I create another admin account an attacker can lock me out
from
the domain, domain\administrator can't be locked out.
2. Deny Logon Locally - is not working, I cannot add just user
administrator, get follwing: "You cannot deny all users or
administrator(s)
from logging on locally"
Any other thoughts or solutions?
Thanks,
Björn Johansson
System Technician
.
- Prev by Date: Re: AD Delegation Issue - Computer Objects
- Next by Date: Re: Active directory running on standard and enteprise edition
- Previous by thread: ADAM dsamain high cpu
- Next by thread: Re: Thoughts around GPO for disabling local administrator only
- Index(es):
Relevant Pages
|
