|
server
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Group policy tatooing with restricted group ? or strange behaviour !we have Windows 2000/Xp clients in our Active Directory. Configuration 1 --> We had a GPO applied on computers that defined a restricted group for BUILTIN\Administrators. (So, if a user wanted to add himself to his local administrators group,his user account was automatically removed from this group). Configuration 2 --> During three months, we have changed this GPO and the restricted group was defined witht the "member of" parameter so a user was able to add himself to the local admin group. Configuration 3 (= configuration 1) --> Then, as some of the users knew the local admin password and have added without autorization to the local admin group, we have configured the restricted group as before (and so users are removed from the local admin group). now the problem ... If a user power on his computer with the network disabled or if the GPO is not applied for any reason), the local admin group is identical to what is was during the "configuration 2" and so some users are local admin ... Is it normal ? Thank you -- Eric Hello Eric,
If the policy change is not applied because the machine was not on the domain when you made the change, this is normal. To apply the new policy the machine has to be connected toi the domain. Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. ** Please do NOT email, only reply to Newsgroups ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm Show quoteHide quote > Hello, > > we have Windows 2000/Xp clients in our Active Directory. > > Configuration 1 --> We had a GPO applied on computers that defined a > restricted group for BUILTIN\Administrators. (So, if a user wanted to > add himself to his local administrators group,his user account was > automatically removed from this group). > > Configuration 2 --> During three months, we have changed this GPO and > the restricted group was defined witht the "member of" parameter so a > user was able to add himself to the local admin group. > > Configuration 3 (= configuration 1) --> Then, as some of the users > knew the local admin password and have added without autorization to > the local admin group, we have configured the restricted group as > before (and so users are removed from the local admin group). > > now the problem ... > > If a user power on his computer with the network disabled or if the > GPO is not applied for any reason), the local admin group is identical > to what is was during the "configuration 2" and so some users are > local admin ... > > Is it normal ? > > Thank you > Thank you for your answer but perhaps I was not clear enough.
There is no policy change when the problem occured. The user is retrieving an OLD group policy when it is not connected to the LAN. If the user added his account during Configuration 2; then, even if the configuration 3 deleted the user account that was in the admin group; if the user unplugged the network and reboot, his old user account (in configuration 2) is present in the local admin group. I hope I am clear enough this time :) thanks Show quoteHide quote > Hello Eric, > > If the policy change is not applied because the machine was not on the domain > when you made the change, this is normal. To apply the new policy the machine > has to be connected toi the domain. > > Best regards > > Meinolf Weber > Disclaimer: This posting is provided "AS IS" with no warranties, and confers > no rights. > ** Please do NOT email, only reply to Newsgroups > ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm > > >> Hello, >> >> we have Windows 2000/Xp clients in our Active Directory. >> >> Configuration 1 --> We had a GPO applied on computers that defined a >> restricted group for BUILTIN\Administrators. (So, if a user wanted to >> add himself to his local administrators group,his user account was >> automatically removed from this group). >> >> Configuration 2 --> During three months, we have changed this GPO and >> the restricted group was defined witht the "member of" parameter so a >> user was able to add himself to the local admin group. >> >> Configuration 3 (= configuration 1) --> Then, as some of the users >> knew the local admin password and have added without autorization to >> the local admin group, we have configured the restricted group as >> before (and so users are removed from the local admin group). >> >> now the problem ... >> >> If a user power on his computer with the network disabled or if the >> GPO is not applied for any reason), the local admin group is identical >> to what is was during the "configuration 2" and so some users are >> local admin ... >> >> Is it normal ? >> >> Thank you >> -- Eric Hello Eric,
Run after the 3rd change when the user is logged in rsop and check if the policy is apllied with the correct setting. Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. ** Please do NOT email, only reply to Newsgroups ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm Show quoteHide quote > Thank you for your answer but perhaps I was not clear enough. > > There is no policy change when the problem occured. The user is > retrieving an OLD group policy when it is not connected to the LAN. > > If the user added his account during Configuration 2; then, even if > the configuration 3 deleted the user account that was in the admin > group; if the user unplugged the network and reboot, his old user > account (in configuration 2) is present in the local admin group. > > I hope I am clear enough this time :) > > thanks > >> Hello Eric, >> >> If the policy change is not applied because the machine was not on >> the domain when you made the change, this is normal. To apply the new >> policy the machine has to be connected toi the domain. >> >> Best regards >> >> Meinolf Weber >> Disclaimer: This posting is provided "AS IS" with no warranties, and >> confers >> no rights. >> ** Please do NOT email, only reply to Newsgroups >> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm >>> Hello, >>> >>> we have Windows 2000/Xp clients in our Active Directory. >>> >>> Configuration 1 --> We had a GPO applied on computers that defined a >>> restricted group for BUILTIN\Administrators. (So, if a user wanted >>> to add himself to his local administrators group,his user account >>> was automatically removed from this group). >>> >>> Configuration 2 --> During three months, we have changed this GPO >>> and the restricted group was defined witht the "member of" parameter >>> so a user was able to add himself to the local admin group. >>> >>> Configuration 3 (= configuration 1) --> Then, as some of the users >>> knew the local admin password and have added without autorization to >>> the local admin group, we have configured the restricted group as >>> before (and so users are removed from the local admin group). >>> >>> now the problem ... >>> >>> If a user power on his computer with the network disabled or if the >>> GPO is not applied for any reason), the local admin group is >>> identical to what is was during the "configuration 2" and so some >>> users are local admin ... >>> >>> Is it normal ? >>> >>> Thank you >>> First off as a general practice, you should be changing the admin password
on a regular basis. If someone has compromised the password then it should be changed immediately. As Meinolf already indicated you have to be connected to the domain for the restriction policy to take effect. -- Show quoteHide quotePaul Bergson MVP - Directory Services MCTS, MCT, MCSE, MCSA, Security+, BS CSci 2008, 2003, 2000 (Early Achiever), NT4 Microsoft's Thrive IT Pro of the Month - June 2009 http://www.pbbergs.com Please no e-mails, any questions should be posted in the NewsGroup This posting is provided "AS IS" with no warranties, and confers no rights. "Eric" <Eric_m@nospam.hotmail.com> wrote in message news:mn.42dc7d979b308568.70874@nospam.hotmail.com... > Hello, > > we have Windows 2000/Xp clients in our Active Directory. > > Configuration 1 --> We had a GPO applied on computers that defined a > restricted group for BUILTIN\Administrators. (So, if a user wanted to add > himself to his local administrators group,his user account was > automatically removed from this group). > > Configuration 2 --> During three months, we have changed this GPO and the > restricted group was defined witht the "member of" parameter so a user was > able to add himself to the local admin group. > > Configuration 3 (= configuration 1) --> Then, as some of the users knew > the local admin password and have added without autorization to the local > admin group, we have configured the restricted group as before (and so > users are removed from the local admin group). > > now the problem ... > > If a user power on his computer with the network disabled or if the GPO is > not applied for any reason), the local admin group is identical to what is > was during the "configuration 2" and so some users are local admin ... > > Is it normal ? > > Thank you > > -- > Eric > > I agree but my question is "how can I define the "default" users that
have to be member of the local admin group when the computer is not connected on the network and so the group policy is not applied? Thank you Show quoteHide quote > First off as a general practice, you should be changing the admin password on > a regular basis. If someone has compromised the password then it should be > changed immediately. > > As Meinolf already indicated you have to be connected to the domain for the > restriction policy to take effect. > > -- > Paul Bergson > MVP - Directory Services > MCTS, MCT, MCSE, MCSA, Security+, BS CSci > 2008, 2003, 2000 (Early Achiever), NT4 > Microsoft's Thrive IT Pro of the Month - June 2009 > > http://www.pbbergs.com > > Please no e-mails, any questions should be posted in the NewsGroup This > posting is provided "AS IS" with no warranties, and confers no rights. > > "Eric" <Eric_m@nospam.hotmail.com> wrote in message > news:mn.42dc7d979b308568.70874@nospam.hotmail.com... >> Hello, >> >> we have Windows 2000/Xp clients in our Active Directory. >> >> Configuration 1 --> We had a GPO applied on computers that defined a >> restricted group for BUILTIN\Administrators. (So, if a user wanted to add >> himself to his local administrators group,his user account was >> automatically removed from this group). >> >> Configuration 2 --> During three months, we have changed this GPO and the >> restricted group was defined witht the "member of" parameter so a user was >> able to add himself to the local admin group. >> >> Configuration 3 (= configuration 1) --> Then, as some of the users knew the >> local admin password and have added without autorization to the local admin >> group, we have configured the restricted group as before (and so users are >> removed from the local admin group). >> >> now the problem ... >> >> If a user power on his computer with the network disabled or if the GPO is >> not applied for any reason), the local admin group is identical to what is >> was during the "configuration 2" and so some users are local admin ... >> >> Is it normal ? >> >> Thank you >> >> -- Eric >> >> -- Eric 
Other interesting topics
Secondary (backup) domain controller not working ?
Sezing FSMO roles... Win 2003 ADS users get locked out Backup of DC - windows 2003 ERROR event ID 3224 SERVER 2003 X64 Windows Security Log Check Folder Size Merge local user and domain user Giving rights to a group to reset and unlock users in a AD domain AD question |
|||||||||||||||||||||||
