Group policy tatooing with restricted group ? or strange behaviour !

Discussion in 'Active Directory' started by Eric, Jul 8, 2009.

  1. Eric

    Eric Guest

    Hello,

    we have Windows 2000/Xp clients in our Active Directory.

    Configuration 1 --> We had a GPO applied on computers that defined a
    restricted group for BUILTIN\Administrators. (So, if a user wanted to
    add himself to his local administrators group,his user account was
    automatically removed from this group).

    Configuration 2 --> During three months, we have changed this GPO and
    the restricted group was defined witht the "member of" parameter so a
    user was able to add himself to the local admin group.

    Configuration 3 (= configuration 1) --> Then, as some of the users knew
    the local admin password and have added without autorization to the
    local admin group, we have configured the restricted group as before
    (and so users are removed from the local admin group).

    now the problem ...

    If a user power on his computer with the network disabled or if the GPO
    is not applied for any reason), the local admin group is identical to
    what is was during the "configuration 2" and so some users are local
    admin ...

    Is it normal ?

    Thank you
     
    Eric, Jul 8, 2009
    #1
    1. Advertisements

  2. Hello Eric,

    If the policy change is not applied because the machine was not on the domain
    when you made the change, this is normal. To apply the new policy the machine
    has to be connected toi the domain.

    Best regards

    Meinolf Weber
     
    Meinolf Weber [MVP-DS], Jul 8, 2009
    #2
    1. Advertisements

  3. First off as a general practice, you should be changing the admin password
    on a regular basis. If someone has compromised the password then it should
    be changed immediately.

    As Meinolf already indicated you have to be connected to the domain for the
    restriction policy to take effect.

    --
    Paul Bergson
    MVP - Directory Services
    MCTS, MCT, MCSE, MCSA, Security+, BS CSci
    2008, 2003, 2000 (Early Achiever), NT4
    Microsoft's Thrive IT Pro of the Month - June 2009

    http://www.pbbergs.com

    Please no e-mails, any questions should be posted in the NewsGroup This
    posting is provided "AS IS" with no warranties, and confers no rights.
     
    Paul Bergson [MVP-DS], Jul 8, 2009
    #3
  4. Eric

    Eric Guest

    Thank you for your answer but perhaps I was not clear enough.

    There is no policy change when the problem occured. The user is
    retrieving an OLD group policy when it is not connected to the LAN.

    If the user added his account during Configuration 2; then, even if the
    configuration 3 deleted the user account that was in the admin group;
    if the user unplugged the network and reboot, his old user account (in
    configuration 2) is present in the local admin group.

    I hope I am clear enough this time :)

    thanks
     
    Eric, Jul 8, 2009
    #4
  5. Hello Eric,

    Run after the 3rd change when the user is logged in rsop and check if the
    policy is apllied with the correct setting.

    Best regards

    Meinolf Weber
     
    Meinolf Weber [MVP-DS], Jul 8, 2009
    #5
  6. Eric

    Eric Guest

    I agree but my question is "how can I define the "default" users that
    have to be member of the local admin group when the computer is not
    connected on the network and so the group policy is not applied?

    Thank you
     
    Eric, Jul 10, 2009
    #6
  7. The only way I can think of that would work is you write a script and then
    create a scheduled task that runs at boot up to place the users you want in
    the groups they need to reside in. But you will have to manage every laptop
    for the users within the groups.

    --
    Paul Bergson
    MVP - Directory Services
    MCTS, MCT, MCSE, MCSA, Security+, BS CSci
    2008, 2003, 2000 (Early Achiever), NT4
    Microsoft's Thrive IT Pro of the Month - June 2009

    http://www.pbbergs.com

    Please no e-mails, any questions should be posted in the NewsGroup This
    posting is provided "AS IS" with no warranties, and confers no rights.
     
    Paul Bergson [MVP-DS], Jul 10, 2009
    #7
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.