S
Spock
Hi. I am trying the suggestion that I have seen on the web where you can
create a restricted group policy in the domain policy that will
automatically add "domain users" as a member of the local administrators
group of whatever machine a person logs on to so that any domain user will
have full rights to the local machine.
I am editing the default domain group policy, going into computer
configuration -> windows settings -> security settings -> restricted groups,
adding a new group called "administrators" and adding "domain users" to it.
It seems to work fine. Any domain user that logs on to any XP PC in the
domain has full rights to the local machine.
HOWEVER, I found a big problem. On the actual domain controller server,
"domain users" is also a member if ITS OWN local administrators group! Even
if the folder security prevents a user from accessing a particular folder on
the server, that user can actually right-click that folder, go to security
and add themselves! Then they have full rights!
How do I prevent the server itself from receiving the restricted groups
policy?????
Thank you very much.
-Spock
create a restricted group policy in the domain policy that will
automatically add "domain users" as a member of the local administrators
group of whatever machine a person logs on to so that any domain user will
have full rights to the local machine.
I am editing the default domain group policy, going into computer
configuration -> windows settings -> security settings -> restricted groups,
adding a new group called "administrators" and adding "domain users" to it.
It seems to work fine. Any domain user that logs on to any XP PC in the
domain has full rights to the local machine.
HOWEVER, I found a big problem. On the actual domain controller server,
"domain users" is also a member if ITS OWN local administrators group! Even
if the folder security prevents a user from accessing a particular folder on
the server, that user can actually right-click that folder, go to security
and add themselves! Then they have full rights!
How do I prevent the server itself from receiving the restricted groups
policy?????
Thank you very much.
-Spock