Hi. I am trying the suggestion that I have seen on the web where you can
create a restricted group policy in the domain policy that will
automatically add "domain users" as a member of the local administrators
group of whatever machine a person logs on to so that any domain user will
have full rights to the local machine.

I am editing the default domain group policy, going into computer
configuration -> windows settings -> security settings -> restricted groups,
adding a new group called "administrators" and adding "domain users" to it.

It seems to work fine. Any domain user that logs on to any XP PC in the
domain has full rights to the local machine.

HOWEVER, I found a big problem. On the actual domain controller server,
"domain users" is also a member if ITS OWN local administrators group! Even
if the folder security prevents a user from accessing a particular folder on
the server, that user can actually right-click that folder, go to security
and add themselves! Then they have full rights!

How do I prevent the server itself from receiving the restricted groups
policy?????

Thank you very much.


-Spock

One option is to NOT add that in the Default Domain Policy, but in an OU(s)
that the PCs are setup in ... Another is to set the option differently in
the Domain Controller Policy ... There's probably three-four different ways
you can achieve this ... Choose the one that's best based on your
configuration ...

"Spock" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hi. I am trying the suggestion that I have seen on the web where you can
> create a restricted group policy in the domain policy that will
> automatically add "domain users" as a member of the local administrators
> group of whatever machine a person logs on to so that any domain user will
> have full rights to the local machine.
>
> I am editing the default domain group policy, going into computer
> configuration -> windows settings -> security settings -> restricted
groups,
> adding a new group called "administrators" and adding "domain users" to
it.
>
> It seems to work fine. Any domain user that logs on to any XP PC in the
> domain has full rights to the local machine.
>
> HOWEVER, I found a big problem. On the actual domain controller server,
> "domain users" is also a member if ITS OWN local administrators group!
Even
> if the folder security prevents a user from accessing a particular folder
on
> the server, that user can actually right-click that folder, go to security
> and add themselves! Then they have full rights!
>
> How do I prevent the server itself from receiving the restricted groups
> policy?????
>
> Thank you very much.
>
>
> -Spock
>
>
>

Here's an article from MCP mag recently that may help.

http://www.mcpmag.com/columns/articl...itorialsID=745


"Spock" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hi. I am trying the suggestion that I have seen on the web where you can
> create a restricted group policy in the domain policy that will
> automatically add "domain users" as a member of the local administrators
> group of whatever machine a person logs on to so that any domain user will
> have full rights to the local machine.
>
> I am editing the default domain group policy, going into computer
> configuration -> windows settings -> security settings -> restricted
groups,
> adding a new group called "administrators" and adding "domain users" to
it.
>
> It seems to work fine. Any domain user that logs on to any XP PC in the
> domain has full rights to the local machine.
>
> HOWEVER, I found a big problem. On the actual domain controller server,
> "domain users" is also a member if ITS OWN local administrators group!
Even
> if the folder security prevents a user from accessing a particular folder
on
> the server, that user can actually right-click that folder, go to security
> and add themselves! Then they have full rights!
>
> How do I prevent the server itself from receiving the restricted groups
> policy?????
>
> Thank you very much.
>
>
> -Spock
>
>
>

Delete that Restrict Group definition
You do not want to do such in any GPO linked at either
the Domain level or the Domain Controllers OU level.
You need to do that in a GPO that is linked to an OU
which contains the machines where you do want the
Restricted Group definition to be effective.

--
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Spock" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hi. I am trying the suggestion that I have seen on the web where you can
> create a restricted group policy in the domain policy that will
> automatically add "domain users" as a member of the local administrators
> group of whatever machine a person logs on to so that any domain user will
> have full rights to the local machine.
>
> I am editing the default domain group policy, going into computer
> configuration -> windows settings -> security settings -> restricted
groups,
> adding a new group called "administrators" and adding "domain users" to
it.
>
> It seems to work fine. Any domain user that logs on to any XP PC in the
> domain has full rights to the local machine.
>
> HOWEVER, I found a big problem. On the actual domain controller server,
> "domain users" is also a member if ITS OWN local administrators group!
Even
> if the folder security prevents a user from accessing a particular folder
on
> the server, that user can actually right-click that folder, go to security
> and add themselves! Then they have full rights!
>
> How do I prevent the server itself from receiving the restricted groups
> policy?????
>
> Thank you very much.
>
>
> -Spock
>
>
>

Spock wrote:

> Hi. I am trying the suggestion that I have seen on the web where you can
> create a restricted group policy in the domain policy that will
> automatically add "domain users" as a member of the local administrators
> group of whatever machine a person logs on to so that any domain user will
> have full rights to the local machine.
>
> I am editing the default domain group policy, going into computer
> configuration -> windows settings -> security settings -> restricted groups,
> adding a new group called "administrators" and adding "domain users" to it.
>
> It seems to work fine. Any domain user that logs on to any XP PC in the
> domain has full rights to the local machine.
Hi

You should not add "domain users" to the local Administrators group,
because this will open for cross network access to all the domain
computers.

We add "NT Authority\Interactive" in the local Administrators group
to let all domain users automatically be local admins when they log
on to a computer interactively.

This is more secure than adding "Authenticated Domain users",
"Domain Users" or "NT AUTHORITY\Authenticated Users" because you
avoid the issue with cross network admin rights (remote access)
that these groups introduces.



--
torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
Administration scripting examples and an ONLINE version of
the 1328 page Scripting Guide:
http://www.microsoft.com/technet/com...r/default.mspx

Can I do this in a live environment? I.e. Make a new OU, move the
computer accounts into it, create the new GPO and set my policy?

Thank you.


-Spock


"Roger Abell" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Delete that Restrict Group definition
> You do not want to do such in any GPO linked at either
> the Domain level or the Domain Controllers OU level.
> You need to do that in a GPO that is linked to an OU
> which contains the machines where you do want the
> Restricted Group definition to be effective.
>
> --
> Roger Abell
> Microsoft MVP (Windows Server System: Security)
> MCSE (W2k3,W2k,Nt4) MCDBA
> "Spock" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> > Hi. I am trying the suggestion that I have seen on the web where you can
> > create a restricted group policy in the domain policy that will
> > automatically add "domain users" as a member of the local administrators
> > group of whatever machine a person logs on to so that any domain user
will
> > have full rights to the local machine.
> >
> > I am editing the default domain group policy, going into computer
> > configuration -> windows settings -> security settings -> restricted
> groups,
> > adding a new group called "administrators" and adding "domain users" to
> it.
> >
> > It seems to work fine. Any domain user that logs on to any XP PC in the
> > domain has full rights to the local machine.
> >
> > HOWEVER, I found a big problem. On the actual domain controller server,
> > "domain users" is also a member if ITS OWN local administrators group!
> Even
> > if the folder security prevents a user from accessing a particular
folder
> on
> > the server, that user can actually right-click that folder, go to
security
> > and add themselves! Then they have full rights!
> >
> > How do I prevent the server itself from receiving the restricted groups
> > policy?????
> >
> > Thank you very much.
> >
> >
> > -Spock
> >
> >
> >
>
>

Spock wrote:

> Can I do this in a live environment? I.e. Make a new OU, move the
> computer accounts into it, create the new GPO and set my policy?
Hi

Yes.


--
torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
Administration scripting examples and an ONLINE version of
the 1328 page Scripting Guide:
http://www.microsoft.com/technet/com...r/default.mspx