Adding domain users as local XP administrators...

[Spock]

Hi. I am trying the suggestion that I have seen on the web where you can
create a restricted group policy in the domain policy that will
automatically add "domain users" as a member of the local administrators
group of whatever machine a person logs on to so that any domain user will
have full rights to the local machine.

I am editing the default domain group policy, going into computer
configuration -> windows settings -> security settings -> restricted groups,
adding a new group called "administrators" and adding "domain users" to it.

It seems to work fine. Any domain user that logs on to any XP PC in the
domain has full rights to the local machine.

HOWEVER, I found a big problem. On the actual domain controller server,
"domain users" is also a member if ITS OWN local administrators group! Even
if the folder security prevents a user from accessing a particular folder on
the server, that user can actually right-click that folder, go to security
and add themselves! Then they have full rights!

How do I prevent the server itself from receiving the restricted groups
policy?????

Thank you very much.


-Spock

 

[Ron Bernier]

One option is to NOT add that in the Default Domain Policy, but in an OU(s)
that the PCs are setup in ... Another is to set the option differently in
the Domain Controller Policy ... There's probably three-four different ways
you can achieve this ... Choose the one that's best based on your
configuration ...

 

[Richard Gilmore]

Here's an article from MCP mag recently that may help.

http://www.mcpmag.com/columns/article.asp?EditorialsID=745

 

[Roger Abell]

Delete that Restrict Group definition
You do not want to do such in any GPO linked at either
the Domain level or the Domain Controllers OU level.
You need to do that in a GPO that is linked to an OU
which contains the machines where you do want the
Restricted Group definition to be effective.

 

[Torgeir Bakken \(MVP\)]

Hi. I am trying the suggestion that I have seen on the web where you can
create a restricted group policy in the domain policy that will
automatically add "domain users" as a member of the local administrators
group of whatever machine a person logs on to so that any domain user will
have full rights to the local machine.

I am editing the default domain group policy, going into computer
configuration -> windows settings -> security settings -> restricted groups,
adding a new group called "administrators" and adding "domain users" to it.

It seems to work fine. Any domain user that logs on to any XP PC in the
domain has full rights to the local machine.

Hi

You should not add "domain users" to the local Administrators group,
because this will open for cross network access to all the domain
computers.

We add "NT Authority\Interactive" in the local Administrators group
to let all domain users automatically be local admins when they log
on to a computer interactively.

This is more secure than adding "Authenticated Domain users",
"Domain Users" or "NT AUTHORITY\Authenticated Users" because you
avoid the issue with cross network admin rights (remote access)
that these groups introduces.

 

[Spock]

Can I do this in a live environment? I.e. Make a new OU, move the
computer accounts into it, create the new GPO and set my policy?

Thank you.


-Spock

 

[Torgeir Bakken \(MVP\)]

Can I do this in a live environment? I.e. Make a new OU, move the
computer accounts into it, create the new GPO and set my policy?

Hi

Yes.