Archived from groups: microsoft.public.win2000.security (
More info?)
First off, if at all possible, you want to prevent regular users from being members
of the local administrators group or power user group otherwise it will be very
difficult to restrict them - particularly as local administrators.
There are many Group policy settings to restrict users. Particularly in user
configuration/administrative templates - see the various categories. Note that you
can configure local policy via gpedit.msc, though it is much easier to do via domain
or Organizational Unit level. Local security policy applies to all users that logon
to a computer, while domain/OU "user configuration" policies apply only to domain
users and will be bypassed by local user logon. If you do not want a Group Policy
user configuration to apply to domain administrators, you will need to exempt them by
giving the administrators group deny permissions to apply for the GPO. To prevent
changes to the desktop, you need to either implement mandatory roaming profiles or
change the ntfs permissions of the user's profile/desktop folder to be
read/list/execute only. Below is a link on Group Policy. Group Policy is applied in
this order local>site>domain>OU where the last applied defined setting applies and
users and computers must be within the scope of influence of the Group Policy [GPO]
as in the OU where the policy is applied if it is not at the domain level.
http://www.microsoft.com/resources/documentation/windows/2000/server/reskit/en-us/distsys/part4/dsgch22.mspx
If you can not logon to a domain computer as an administrator, there may be a couple
of reasons. By default, the domain admins group is in the local administrators group
of every domain computer. It is possible that was removed by a local administrator.
The "effective" setting on a domain computer needs to include users/everyone in the
"logon locally" user right assignment and any entry in the "deny logon locally" user
right will overrode the right to logon locally. By default for domain computers other
than domain controllers, the logon locally user right is only configured in Local
Security Policy which can be accessed via secpol.msc. Look under security
settings/local policies/user rights. You can define that at default domain policy if
need be for logon locally and deny logon locally. I would add at least users,
administrators, and domain admins if you do it at the domain level and for deny logon
locally add just the guest account. That would override all Local Security Policy
settings on domain members after their policy refreshes which could take up to two
hours unless you do a reboot on them. make a habit of running secedit /refreshpolicy
machine_policy /enforce on a domain controller after configuring any security policy.
Access this computer from the network is needed to access any computer remotely and
again deny access to this computer from the network will override allow setting. You
can of course configure that at the domain/OU level.
If you think that you may have been removed from the local administrators group from
domain members you can use "restricted groups" at the OU level to enforce membership
in the local administrators group which probably will remove all existing members
other than the local built in administrator group. A better temper fix may be to run
a startup script on all domain computers that contains this command in a notepad
file that is named whatever.bat [ net localgroup administrators "domainname\domain
admins" /add ] which will add the domain admins group to the local administrators
group. Note that Group Policy for the domain will not apply if a local administrator
has removed the computer from the domain to avoid Group Policy or remote
administration. Running netdiag on any domain computer will tell if it's computer
account is still in good standing in the domain. Netdiag and other important and free
support tools are available on the install cd in the support/tools folder where you
will have to run setup to install the support tools. That should give you something
to start with.--- Steve
http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q320065
http://support.microsoft.com/default.aspx?scid=kb;en-us;322241
"James W. Long" <JamesLong@wowway.com> wrote in message
news:K6ydndmueMCSU2Td4p2dnA@wideopenwest.com...
> Hi All,
>
> I inherited this large W2K network. 3, DCs and lots of worksations,
> I am still learning about Win2k Server.
>
> where do I find the group policy snapin that specifies what is allowed
> to be modified on users desktops, i.e. what they can't modify in windows
> settings
> and what disallows running certain apps such as disk services. where is
> that snapin?
>
> Also where do I find the security that currently disallows the
> administrator
> to logon to a client machine. I need to reverse it, in otherwords, allow
> him
> to logon to clients. I dont know why they did this.
>
> Is that in the domain securit policy, under user rights assignments,
> under log on locally?
>
> does administrator have to also be specified in "acces this computer
> from the network" ? if he is not specified on the local machine that way,
> what
> do I need to specify to allow him to specify himself, because
>
> A. Even though I am a member of the administrators group,
> I cannot log on to any client as the administrator,
> and I cannot make changes to any client machine as my local user,
> even with my membership in administrators;
> and, I'm not sure where these snapins are on the DC to fix that.
>
> I can get on as administrator to the DC's,
> I just dont know where to find what I'm looking for.
>
> Thank you in advance,
> James W. Long
>
>
>
>