Sign in with
Sign up | Sign in
Your question

local admin w/o network rights

Last response: in Windows 2000/NT
Share
Anonymous
June 29, 2004 6:42:37 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

i made a post yesterday on how to implement a GPO for a 'desktop admin' that
could work on a local machine but have no network access.... since i've
followed the steps of creating the security group 'desktop admin' with local
admin rights.... then i added a user to the member of desktop admin...

then i went to my current administrator GPO and added the restricted user as
outlined in this responce

"For example, to add a domain group to the power users group (local
only):

Load a GPO and navigate to Computer Configuration\Windows Settings\Security
Settings\Restricted Groups

Right-click and choose add.

Enter Power Users (don't use Browse)

Double-click on Power Users (once it's been added) and add the new group
Desktop Admins to the 'Members of this group' section.

Upon policy refresh, the new group will be added to the local power users
groups on local PCs"

after a reboot and policy refresh my user has full network rights and is
wide open in all aspects. So i did something incorrectly, do you have any
suggestions?

i was thinking about it and created a new org. unit with a new GPO and did
the restricted user and still, the user has full blown rights. I'm
confused... any insight?

thanks in advance.
Anonymous
June 30, 2004 5:54:27 AM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

To prevent a user from accessing computers over the network, add that user/group to
the "deny accessing this computer from the network" user right in security policy
under security settings/local policies/user rights. You could do that at the domain
or Organizational Unit level if you use OU's. Do not however do that in Domain
Controller Security Policy or in the Local Security Policy of domain controllers as
that user/group may not be able to logon to the domain then. --- Steve


"pittspeed" <turbovw18@hotmail.com> wrote in message
news:o Pl2ajgXEHA.3988@tk2msftngp13.phx.gbl...
> i made a post yesterday on how to implement a GPO for a 'desktop admin' that
> could work on a local machine but have no network access.... since i've
> followed the steps of creating the security group 'desktop admin' with local
> admin rights.... then i added a user to the member of desktop admin...
>
> then i went to my current administrator GPO and added the restricted user as
> outlined in this responce
>
> "For example, to add a domain group to the power users group (local
> only):
>
> Load a GPO and navigate to Computer Configuration\Windows Settings\Security
> Settings\Restricted Groups
>
> Right-click and choose add.
>
> Enter Power Users (don't use Browse)
>
> Double-click on Power Users (once it's been added) and add the new group
> Desktop Admins to the 'Members of this group' section.
>
> Upon policy refresh, the new group will be added to the local power users
> groups on local PCs"
>
> after a reboot and policy refresh my user has full network rights and is
> wide open in all aspects. So i did something incorrectly, do you have any
> suggestions?
>
> i was thinking about it and created a new org. unit with a new GPO and did
> the restricted user and still, the user has full blown rights. I'm
> confused... any insight?
>
> thanks in advance.
>
>
>
Anonymous
June 30, 2004 12:44:28 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Thanks Steve,

i'm going to try this today using OU's... i do have numerous Org Units...
thanks for the help!!!!



"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:n3pEc.1474$%_6.277@attbi_s01...
> To prevent a user from accessing computers over the network, add that
user/group to
> the "deny accessing this computer from the network" user right in security
policy
> under security settings/local policies/user rights. You could do that at
the domain
> or Organizational Unit level if you use OU's. Do not however do that in
Domain
> Controller Security Policy or in the Local Security Policy of domain
controllers as
> that user/group may not be able to logon to the domain then. --- Steve
>
>
> "pittspeed" <turbovw18@hotmail.com> wrote in message
> news:o Pl2ajgXEHA.3988@tk2msftngp13.phx.gbl...
> > i made a post yesterday on how to implement a GPO for a 'desktop admin'
that
> > could work on a local machine but have no network access.... since i've
> > followed the steps of creating the security group 'desktop admin' with
local
> > admin rights.... then i added a user to the member of desktop admin...
> >
> > then i went to my current administrator GPO and added the restricted
user as
> > outlined in this responce
> >
> > "For example, to add a domain group to the power users group (local
> > only):
> >
> > Load a GPO and navigate to Computer Configuration\Windows
Settings\Security
> > Settings\Restricted Groups
> >
> > Right-click and choose add.
> >
> > Enter Power Users (don't use Browse)
> >
> > Double-click on Power Users (once it's been added) and add the new group
> > Desktop Admins to the 'Members of this group' section.
> >
> > Upon policy refresh, the new group will be added to the local power
users
> > groups on local PCs"
> >
> > after a reboot and policy refresh my user has full network rights and is
> > wide open in all aspects. So i did something incorrectly, do you have
any
> > suggestions?
> >
> > i was thinking about it and created a new org. unit with a new GPO and
did
> > the restricted user and still, the user has full blown rights. I'm
> > confused... any insight?
> >
> > thanks in advance.
> >
> >
> >
>
>
!