Re: Remove administrator account from domain guest group

Must have been a typo. I ran the following from a batch file, cycled the
logon and it worked on my test machine. I will try on the clients PC and
post back results. Thank you!

dsmod group "CN=Guests,CN=Builtin,DC=smallbusiness,DC=local" -rmmbr
"CN=Administrator,CN=Users,DC=smallbusiness,DC=local"

"kj [SBS MVP]" wrote:

Bob wrote:
I opened up a command prompt while logged in as Administrator.

As I'm running this from a virtual PC that I have complete control
over, I could setup another "admin" account that is not a member of
the guests account and have full control without errors. That won't
help in my clients case however.

What is really scary is that this could easily be used to attack a
windows server. All they would have to do is put the "everyone"
group into a guest account and you'd have a hell of a mess.

Misuse of Domain Admin accounts certainly can wreek plenty of havock. There
is no denying that.

Why your dsmod command did not complete is at issue. So you are saying that
the client has not other admin accounts to attempt this from correct?

So, if the admin is in "Guests", you would use "CN=Guests...." and if in
"Domain Guests" then "CN=Domain Guests..." in your dsmod command.

If you don't have permissions or a deny is in effect you should receive an
error... but a hang indicates some other issue in your enviroment. I'd first
start with version checking the DS tools on your virtual XP workstation if
you aren't able to execute this directly from the SBS server.



"Bob" wrote:

These are the results.

"CN=Guests,CN=Builtin,DC=smallbusiness,DC=local"
"CN=Domain Guests,CN=Users,DC=smallbusiness,DC=local"

"CN=Administrator,CN=Users,DC=smallbusiness,DC=local"
"CN=Guest,CN=Users,DC=smallbusiness,DC=local"

"kj [SBS MVP]" wrote:

What account did you use? Where did you run the dsmod command from?

Do you have another account with domain admin priviledges?

so you might try making sure your Distinguished Name is correct by
useing a dsquery

dsquery group

.... then find and check the DN of the "domain guests" and compare
to what you've entered.

if that's good, make sure of the DN for the administrator account
using the same method but this time using dsquery user instead.

(btw, the command should all be on one line)

Bob wrote:
When I run the following it just hangs and never completes.

dsmod group "CN=Guests,CN=Builtin,DC=smallbusiness,DC=local" -rmmbr
"CN=Administrator,CN=Users,DC=smallbusiness,DC=local"

"kj [SBS MVP]" wrote:

Have you tried the Directory services tools?

Like;

dsmod group "CN=Guests,CN=Builtin,DC=yourdomainname,DC=local"
-rmmbr "CN=Administrator,CN=Users,DC=yourdomainname,DC=local"




Bob wrote:
Hello group,

I am searching for a method of removing the adminstrator from the
domain guest users group. I have a customer that I suspect this
has happened to. I've created a virtual pc of sbs03 and
replicated the problem by adding the admin acct to the domain
guest acct. This is what I'm seeing.

When I try to launch Exchange System Manager I get a small
window as below:

Exchange System Manager
Access is denied
Facility: Win32
ID no: c0070005
Exchange System Manager

This will also appear when trying to view any objects in ADUC,
including domain groups. Server management gives the same error.
I've tried from DS restore mode but can't seem to bring the
domain up.

Now, mind you, I've replicated this issue on a freshly installed
copy of sbs03 and induced the error by adding the user
"administrator" to the group "Domain Guests". I know what to
do, I just don't know how to go about doing it. I've seen other
postings that talk about what needs to be done but none that
explain the steps.

Can someone shed some light on this?

Thanks in advance!

Bob

--
/kj

--
/kj

--
/kj



.

Relevant Pages

  • Re: using two user accts
    ... create an account because the person may only log on one or twice. ... problem with the Guest account is that hackers use that account to hack the ... admin account, and that can spell super trouble. ... has less permissions than my administrator acct. ...
    (microsoft.public.windowsxp.help_and_support)
  • Re: Remove administrator account from domain guest group
    ... the guests account and have full control without errors. ... group into a guest account and you'd have a hell of a mess. ... Misuse of Domain Admin accounts certainly can wreek plenty of havock. ... "Bob" wrote: ...
    (microsoft.public.windows.server.sbs)
  • Drive Access denied
    ... under Administrator login, something happened?? ... no account, Admin, user, guest, etc. can access the 'D' drive. ...
    (microsoft.public.win2000.security)
  • Re: Where did my administator go??
    ... name and assigned me as an Admin too and also added the guest log-in. ... The isssue is this - everything I have ever done is under the Administrator ... Do I then keep it there and transfer to my Joe account too or ??? ...
    (microsoft.public.windowsxp.general)
  • Re: Incoming E-Mail - cant create contact in OU
    ... central admin pool different than the web app. ... that account a little (if the web app is compromised or something, ... So I started with giving the app pool account domain admins permissions then ...
    (microsoft.public.sharepoint.windowsservices)