Re: Group policy tatooing with restricted group ? or strange behaviour !
- From: Meinolf Weber [MVP-DS] <meiweb(nospam)@gmx.de>
- Date: Wed, 8 Jul 2009 13:24:20 +0000 (UTC)
Hello Eric,
Run after the 3rd change when the user is logged in rsop and check if the policy is apllied with the correct setting.
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
Thank you for your answer but perhaps I was not clear enough.
There is no policy change when the problem occured. The user is
retrieving an OLD group policy when it is not connected to the LAN.
If the user added his account during Configuration 2; then, even if
the configuration 3 deleted the user account that was in the admin
group; if the user unplugged the network and reboot, his old user
account (in configuration 2) is present in the local admin group.
I hope I am clear enough this time :)
thanks
Hello Eric,
If the policy change is not applied because the machine was not on
the domain when you made the change, this is normal. To apply the new
policy the machine has to be connected toi the domain.
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and
confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
Hello,
we have Windows 2000/Xp clients in our Active Directory.
Configuration 1 --> We had a GPO applied on computers that defined a
restricted group for BUILTIN\Administrators. (So, if a user wanted
to add himself to his local administrators group,his user account
was automatically removed from this group).
Configuration 2 --> During three months, we have changed this GPO
and the restricted group was defined witht the "member of" parameter
so a user was able to add himself to the local admin group.
Configuration 3 (= configuration 1) --> Then, as some of the users
knew the local admin password and have added without autorization to
the local admin group, we have configured the restricted group as
before (and so users are removed from the local admin group).
now the problem ...
If a user power on his computer with the network disabled or if the
GPO is not applied for any reason), the local admin group is
identical to what is was during the "configuration 2" and so some
users are local admin ...
Is it normal ?
Thank you
.
- References:
- Prev by Date: OT: Fastest solution for user data migration to domain. Client side
- Next by Date: Domain root MX records do not work with DNS STUB zones
- Previous by thread: Re: Group policy tatooing with restricted group ? or strange behaviour !
- Next by thread: Re: Group policy tatooing with restricted group ? or strange behaviour !
- Index(es):
Relevant Pages
|
Loading
