RE: NEW sbs install creates domain users with local admin rights
- From: v-chayan@xxxxxxxxxxxxxxxxxxxx ("Charles Yang [MSFT]")
- Date: Wed, 21 Sep 2005 09:24:19 GMT
Hi Philp,
Thanks for updates.
>From your description, I understand that all the local policy is set
correctly, but you still can not logon locally via domain user, you can not
logon to the client computer even with local administrator? In order to
make the issue more clear, please kindly perform test before:
1. When you logon the client computer remotely with local administrator to
the this client computer not logon to the domain, does the issue exist or
not?
2. Please check the policy setting I referred to on the default domain
policy on the server managements to make sure that the policy is set
correct not deny any of the user.
3. Does the issue occurs on all the client computer or not?
4. Please also check the event view to see if there are any error messages
paste them to newsgroup
It seems to be wired issue, as I know the connect computer wizard will
change no setting on the local security policy. I appreciate your time to
test.
Best regards,
Charles Yang (MSFT)
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security
======================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.
Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.
For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.
Any input or comments in this thread are highly appreciated.
======================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| Thread-Topic: NEW sbs install creates domain users with local admin rights
| thread-index: AcW+ipOLWrtsZxxgR7iN3KwFOW7nZQ==
| X-WBNR-Posting-Host: 87.122.0.217
| From: "=?Utf-8?B?UGhpbGlwcA==?=" <Philipp@xxxxxxxxxxxxxxxxxxxxxxxxx>
| References: <17E60E0B-4DA3-4CB4-8C00-E30922AD3BD5@xxxxxxxxxxxxx>
<f1okPGmvFHA.3020@xxxxxxxxxxxxxxxxxxxxx>
| Subject: RE: NEW sbs install creates domain users with local admin rights
| Date: Wed, 21 Sep 2005 01:58:04 -0700
| Lines: 149
| Message-ID: <4FA990B1-6C21-4D62-9813-1498556422E6@xxxxxxxxxxxxx>
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="Utf-8"
| Content-Transfer-Encoding: 7bit
| X-Newsreader: Microsoft CDO for Windows 2000
| Content-Class: urn:content-classes:message
| Importance: normal
| Priority: normal
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
| Newsgroups: microsoft.public.windows.server.sbs
| NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
| Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
| Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:155171
| X-Tomcat-NG: microsoft.public.windows.server.sbs
|
| Hi Charles,
|
| Thank you for you reply.
|
| I have checked the policy settings as you suggested. Everything seems
fine
| there - the user groups are allowed to log on locally without being
listed in
| the deny policy.
| I also noticed, that I am unable to log on as the local administrator via
| remote desktop.
| Logging on via remote desktop as domain administrator, as you suggested,
| works fine.
|
| I am new to windows 2003 server and active directory, but I have the
feeling
| that something may be wrong there. Can't i - or shouldn't I - push the
| required policies to the client PC's via AD?
|
| Regards,
| Phil
|
| ""Charles Yang [MSFT]"" wrote:
|
| > Hi Phil,
| >
| > Welcome to SBS newsgroup.
| >
| > Issue description:
| > =============
| >
| > I understand that you encountered problem that you could not logon the
| > client computer to domain without local administrator right.
| >
| > Analyzing and suggestions:
| > =================
| >
| > Generally speaking, we do not need local administrator right to logon a
| > client computer. It should be the local policy setting that deny the
user
| > without administrator logon, please refer to my suggestion below to
check
| > it:
| >
| > 1. Logon the local client computer via local administrator locally.
| > 2. Run gpedit.msc on command line.
| > 3. Computer configuration->Windows Settings->Security Settings->Local
| > policies->User Right assignments
| > 4. Please check the Deny logon locally and logon locally policy to make
| > sure that the account is not in the deny list and list in the allow
list.
| >
| > If the issue still exists, please test if you can RDP to that client
| > computer via the domain user account?
| >
| > I appreciate your understanding; please feel free to post back. It's my
| > pleasure to be of assistance.
| >
| >
| >
| > Best regards,
| >
| > Charles Yang (MSFT)
| >
| > Microsoft CSS Online Newsgroup Support
| >
| > Get Secure! - www.microsoft.com/security
| >
| > ======================================================
| > This newsgroup only focuses on SBS technical issues. If you have issues
| > regarding other Microsoft products, you'd better post in the
corresponding
| > newsgroups so that they can be resolved in an efficient and timely
manner.
| > You can locate the newsgroup here:
| > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
| >
| > When opening a new thread via the web interface, we recommend you check
the
| > "Notify me of replies" box to receive e-mail notifications when there
are
| > any updates in your thread. When responding to posts via your
newsreader,
| > please "Reply to Group" so that others may learn and benefit from your
| > issue.
| >
| > Microsoft engineers can only focus on one issue per thread. Although we
| > provide other information for your reference, we recommend you post
| > different incidents in different threads to keep the thread clean. In
doing
| > so, it will ensure your issues are resolved in a timely manner.
| >
| > For urgent issues, you may want to contact Microsoft CSS directly.
Please
| > check http://support.microsoft.com for regional support phone numbers.
| >
| > Any input or comments in this thread are highly appreciated.
| > ======================================================
| > This posting is provided "AS IS" with no warranties, and confers no
rights.
| >
| >
| > =====================================================
| > When responding to posts, please "Reply to Group" via your newsreader
so
| > that others may learn and benefit from your issue.
| > =====================================================
| >
| > This posting is provided "AS IS" with no warranties, and confers no
rights.
| >
| > --------------------
| > | Thread-Topic: NEW sbs install creates domain users with local admin
rights
| > | thread-index: AcW967wzeeY728wlTTSaVMqVAyfXKw==
| > | X-WBNR-Posting-Host: 87.122.4.171
| > | From: "=?Utf-8?B?UGhpbGlwcA==?=" <Philipp@xxxxxxxxxxxxxxxxxxxxxxxxx>
| > | Subject: NEW sbs install creates domain users with local admin rights
| > | Date: Tue, 20 Sep 2005 07:01:02 -0700
| > | Lines: 21
| > | Message-ID: <17E60E0B-4DA3-4CB4-8C00-E30922AD3BD5@xxxxxxxxxxxxx>
| > | MIME-Version: 1.0
| > | Content-Type: text/plain;
| > | charset="Utf-8"
| > | Content-Transfer-Encoding: 7bit
| > | X-Newsreader: Microsoft CDO for Windows 2000
| > | Content-Class: urn:content-classes:message
| > | Importance: normal
| > | Priority: normal
| > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
| > | Newsgroups: microsoft.public.windows.server.sbs
| > | NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 10.40.2.250
| > | Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
| > | Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:154823
| > | X-Tomcat-NG: microsoft.public.windows.server.sbs
| > |
| > | I have just installed a new SBS server to replace our current NT4 DC.
| > | For testing, I added two client PC's and a number of Domain Users.
| > | Using the //server/connectcomputer wizard I added two XP client
machines
| > to
| > | the domain to be used by one of the previously configured users.
| > |
| > | I believe that assigning a user to the client PC is one of the
reasons
| > why
| > | users gain local administrator rights on the client machines? I do
not
| > want
| > | users to have local admin rights, so after installing software
(Outlook)
| > I
| > | removed them from the local administrator group and instead put them
into
| > the
| > | regular users group.
| > |
| > | Now, when I try to log in as one of these users, it tells me that I
am
| > not
| > | allowed to log in due to some local security restriction.
| > |
| > | Where can I change this? Why would there be a default setting
requireing
| > | users to be local administrators to log into the domain?
| > |
| > | regards,
| > | Phil
| > |
| > |
| > |
| >
| >
|
.
- References:
- Prev by Date: Re: ISA reports all port scan
- Next by Date: Re: share acess to out domain domain machines
- Previous by thread: RE: NEW sbs install creates domain users with local admin rights
- Next by thread: Re: Idiot's guide to Group Policy for 2003 Server?
- Index(es):
Relevant Pages
|
