Domain Users/Restrict to User Access Only.

Discussion in 'Server Security' started by Andrew Staley, Mar 11, 2009.

  1. We're currently running a Server 2003 and looking to tighten up our
    security. One thing that I know has happened in the past is that certain
    PC's have had accounts created for domain users and they've been left with
    full Admin privlages.

    Is there a simple way, via Group Policy perhaps that I can knock all these
    accounts back down to User Only access? If not my only alternative is to go
    around some 200 machines and change them manually.

    Thanks in advance, Andrew.
    Andrew Staley, Mar 11, 2009
    1. Advertisements

  2. Hello Andrew,

    Assuming that you talk about user accounts being in the local administrators
    group you can use Restricted groups to remove/replace them with the needed

    Keep attention on the "Members of this group" and "This group is a member
    of", to find your way.

    Best regards

    Meinolf Weber
    Meinolf Weber [MVP-DS], Mar 11, 2009
    1. Advertisements

  3. Thanks for the reply. I've read through the guide, but must be missing

    I've created a GPO that is applying. I'm using "Members of the group" to
    leave only Administrator in the admin group and for test purposes I'm
    setting my own account to user. My account started as admin, GPO was
    applied on restart and my domain account show's as user. But I can still
    modify the system and install apps as if I'm a full administrator??

    Any pointers on where I may have gone wrong?

    Thanks, Andrew
    Andrew Staley, Mar 11, 2009
  4. Hello Andrew,

    Did you check the Administrators group in Local users and groups on the client
    machine? What members are in that group?

    Best regards

    Meinolf Weber
    Meinolf Weber [MVP-DS], Mar 11, 2009
  5. Andrew Staley

    Marcin Guest

    review Security Options, User Right Assignments, and custom permissions
    applicable to the target computer...

    Marcin, Mar 11, 2009
  6. I checked the Security Options and all these are undefined.

    I've gone into Computer Management and checked Administrator, my username
    isn't shown there only Administrator. I've checked User and my username is
    shown there.

    I've then run "gpresult" and it show's that the policy has applied. Same
    with the GPResult Wizard on the DC.

    Within the GPO I've created two group names, Administrators, which contains
    under "Member of the Group" DOMAIN_NAME\Administrator. And Users also under
    the same sction containing DOMAIN_NAME\My Username.

    On the PC Administrators/Users show exactly as defined above. No local
    accounts, just those I've defined above. Could this be part of the problem?

    Andrew Staley, Mar 12, 2009
  7. Hello Andrew,

    Use "Members of this group" and add there the accounts that should be local
    admin, that's all. Other existing local admins will be removed with this

    Best regards

    Meinolf Weber
    Meinolf Weber [MVP-DS], Mar 12, 2009
  8. That worked perfectly. Thank you for you help.

    Andrew Staley, Mar 13, 2009
  9. Hello Andrew,

    Nice to hear, thanks for the feedback.

    Best regards

    Meinolf Weber
    Meinolf Weber [MVP-DS], Mar 13, 2009
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.