RE: NEW sbs install creates domain users with local admin rights
- From: "Philipp" <Philipp@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 21 Sep 2005 01:58:04 -0700
Hi Charles,
Thank you for you reply.
I have checked the policy settings as you suggested. Everything seems fine
there - the user groups are allowed to log on locally without being listed in
the deny policy.
I also noticed, that I am unable to log on as the local administrator via
remote desktop.
Logging on via remote desktop as domain administrator, as you suggested,
works fine.
I am new to windows 2003 server and active directory, but I have the feeling
that something may be wrong there. Can't i - or shouldn't I - push the
required policies to the client PC's via AD?
Regards,
Phil
""Charles Yang [MSFT]"" wrote:
> Hi Phil,
>
> Welcome to SBS newsgroup.
>
> Issue description:
> =============
>
> I understand that you encountered problem that you could not logon the
> client computer to domain without local administrator right.
>
> Analyzing and suggestions:
> =================
>
> Generally speaking, we do not need local administrator right to logon a
> client computer. It should be the local policy setting that deny the user
> without administrator logon, please refer to my suggestion below to check
> it:
>
> 1. Logon the local client computer via local administrator locally.
> 2. Run gpedit.msc on command line.
> 3. Computer configuration->Windows Settings->Security Settings->Local
> policies->User Right assignments
> 4. Please check the Deny logon locally and logon locally policy to make
> sure that the account is not in the deny list and list in the allow list.
>
> If the issue still exists, please test if you can RDP to that client
> computer via the domain user account?
>
> I appreciate your understanding; please feel free to post back. It's my
> pleasure to be of assistance.
>
>
>
> Best regards,
>
> Charles Yang (MSFT)
>
> Microsoft CSS Online Newsgroup Support
>
> Get Secure! - www.microsoft.com/security
>
> ======================================================
> This newsgroup only focuses on SBS technical issues. If you have issues
> regarding other Microsoft products, you'd better post in the corresponding
> newsgroups so that they can be resolved in an efficient and timely manner.
> You can locate the newsgroup here:
> http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
>
> When opening a new thread via the web interface, we recommend you check the
> "Notify me of replies" box to receive e-mail notifications when there are
> any updates in your thread. When responding to posts via your newsreader,
> please "Reply to Group" so that others may learn and benefit from your
> issue.
>
> Microsoft engineers can only focus on one issue per thread. Although we
> provide other information for your reference, we recommend you post
> different incidents in different threads to keep the thread clean. In doing
> so, it will ensure your issues are resolved in a timely manner.
>
> For urgent issues, you may want to contact Microsoft CSS directly. Please
> check http://support.microsoft.com for regional support phone numbers.
>
> Any input or comments in this thread are highly appreciated.
> ======================================================
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
>
> =====================================================
> When responding to posts, please "Reply to Group" via your newsreader so
> that others may learn and benefit from your issue.
> =====================================================
>
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
> --------------------
> | Thread-Topic: NEW sbs install creates domain users with local admin rights
> | thread-index: AcW967wzeeY728wlTTSaVMqVAyfXKw==
> | X-WBNR-Posting-Host: 87.122.4.171
> | From: "=?Utf-8?B?UGhpbGlwcA==?=" <Philipp@xxxxxxxxxxxxxxxxxxxxxxxxx>
> | Subject: NEW sbs install creates domain users with local admin rights
> | Date: Tue, 20 Sep 2005 07:01:02 -0700
> | Lines: 21
> | Message-ID: <17E60E0B-4DA3-4CB4-8C00-E30922AD3BD5@xxxxxxxxxxxxx>
> | MIME-Version: 1.0
> | Content-Type: text/plain;
> | charset="Utf-8"
> | Content-Transfer-Encoding: 7bit
> | X-Newsreader: Microsoft CDO for Windows 2000
> | Content-Class: urn:content-classes:message
> | Importance: normal
> | Priority: normal
> | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
> | Newsgroups: microsoft.public.windows.server.sbs
> | NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
> | Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
> | Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:154823
> | X-Tomcat-NG: microsoft.public.windows.server.sbs
> |
> | I have just installed a new SBS server to replace our current NT4 DC.
> | For testing, I added two client PC's and a number of Domain Users.
> | Using the //server/connectcomputer wizard I added two XP client machines
> to
> | the domain to be used by one of the previously configured users.
> |
> | I believe that assigning a user to the client PC is one of the reasons
> why
> | users gain local administrator rights on the client machines? I do not
> want
> | users to have local admin rights, so after installing software (Outlook)
> I
> | removed them from the local administrator group and instead put them into
> the
> | regular users group.
> |
> | Now, when I try to log in as one of these users, it tells me that I am
> not
> | allowed to log in due to some local security restriction.
> |
> | Where can I change this? Why would there be a default setting requireing
> | users to be local administrators to log into the domain?
> |
> | regards,
> | Phil
> |
> |
> |
>
>
.
- Follow-Ups:
- RE: NEW sbs install creates domain users with local admin rights
- From: "Charles Yang [MSFT]"
- RE: NEW sbs install creates domain users with local admin rights
- Prev by Date: Re: Sharing contact
- Next by Date: Re: Idiot's guide to Group Policy for 2003 Server?
- Previous by thread: RE: firewall client isa 2004
- Next by thread: RE: NEW sbs install creates domain users with local admin rights
- Index(es):
Relevant Pages
|
Loading
