local admin w/o network rights

Archived from groups: microsoft.public.win2000.group_policy (More info?)

i made a post yesterday on how to implement a GPO for a 'desktop admin' that
could work on a local machine but have no network access.... since i've
followed the steps of creating the security group 'desktop admin' with local
admin rights.... then i added a user to the member of desktop admin...

then i went to my current administrator GPO and added the restricted user as
outlined in this responce

"For example, to add a domain group to the power users group (local
only):

Load a GPO and navigate to Computer Configuration\Windows Settings\Security
Settings\Restricted Groups

Right-click and choose add.

Enter Power Users (don't use Browse)

Double-click on Power Users (once it's been added) and add the new group
Desktop Admins to the 'Members of this group' section.

Upon policy refresh, the new group will be added to the local power users
groups on local PCs"

after a reboot and policy refresh my user has full network rights and is
wide open in all aspects. So i did something incorrectly, do you have any
suggestions?

i was thinking about it and created a new org. unit with a new GPO and did
the restricted user and still, the user has full blown rights. I'm
confused... any insight?

thanks in advance.
2 answers Last reply
More about local admin network rights
  1. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    To prevent a user from accessing computers over the network, add that user/group to
    the "deny accessing this computer from the network" user right in security policy
    under security settings/local policies/user rights. You could do that at the domain
    or Organizational Unit level if you use OU's. Do not however do that in Domain
    Controller Security Policy or in the Local Security Policy of domain controllers as
    that user/group may not be able to logon to the domain then. --- Steve


    "pittspeed" <turbovw18@hotmail.com> wrote in message
    news:OPl2ajgXEHA.3988@tk2msftngp13.phx.gbl...
    > i made a post yesterday on how to implement a GPO for a 'desktop admin' that
    > could work on a local machine but have no network access.... since i've
    > followed the steps of creating the security group 'desktop admin' with local
    > admin rights.... then i added a user to the member of desktop admin...
    >
    > then i went to my current administrator GPO and added the restricted user as
    > outlined in this responce
    >
    > "For example, to add a domain group to the power users group (local
    > only):
    >
    > Load a GPO and navigate to Computer Configuration\Windows Settings\Security
    > Settings\Restricted Groups
    >
    > Right-click and choose add.
    >
    > Enter Power Users (don't use Browse)
    >
    > Double-click on Power Users (once it's been added) and add the new group
    > Desktop Admins to the 'Members of this group' section.
    >
    > Upon policy refresh, the new group will be added to the local power users
    > groups on local PCs"
    >
    > after a reboot and policy refresh my user has full network rights and is
    > wide open in all aspects. So i did something incorrectly, do you have any
    > suggestions?
    >
    > i was thinking about it and created a new org. unit with a new GPO and did
    > the restricted user and still, the user has full blown rights. I'm
    > confused... any insight?
    >
    > thanks in advance.
    >
    >
    >
  2. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    Thanks Steve,

    i'm going to try this today using OU's... i do have numerous Org Units...
    thanks for the help!!!!


    "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
    news:n3pEc.1474$%_6.277@attbi_s01...
    > To prevent a user from accessing computers over the network, add that
    user/group to
    > the "deny accessing this computer from the network" user right in security
    policy
    > under security settings/local policies/user rights. You could do that at
    the domain
    > or Organizational Unit level if you use OU's. Do not however do that in
    Domain
    > Controller Security Policy or in the Local Security Policy of domain
    controllers as
    > that user/group may not be able to logon to the domain then. --- Steve
    >
    >
    > "pittspeed" <turbovw18@hotmail.com> wrote in message
    > news:OPl2ajgXEHA.3988@tk2msftngp13.phx.gbl...
    > > i made a post yesterday on how to implement a GPO for a 'desktop admin'
    that
    > > could work on a local machine but have no network access.... since i've
    > > followed the steps of creating the security group 'desktop admin' with
    local
    > > admin rights.... then i added a user to the member of desktop admin...
    > >
    > > then i went to my current administrator GPO and added the restricted
    user as
    > > outlined in this responce
    > >
    > > "For example, to add a domain group to the power users group (local
    > > only):
    > >
    > > Load a GPO and navigate to Computer Configuration\Windows
    Settings\Security
    > > Settings\Restricted Groups
    > >
    > > Right-click and choose add.
    > >
    > > Enter Power Users (don't use Browse)
    > >
    > > Double-click on Power Users (once it's been added) and add the new group
    > > Desktop Admins to the 'Members of this group' section.
    > >
    > > Upon policy refresh, the new group will be added to the local power
    users
    > > groups on local PCs"
    > >
    > > after a reboot and policy refresh my user has full network rights and is
    > > wide open in all aspects. So i did something incorrectly, do you have
    any
    > > suggestions?
    > >
    > > i was thinking about it and created a new org. unit with a new GPO and
    did
    > > the restricted user and still, the user has full blown rights. I'm
    > > confused... any insight?
    > >
    > > thanks in advance.
    > >
    > >
    > >
    >
    >
Ask a new question

Read More

Desktops Windows