F
Frisk
Hi, i hope somebody can help me.
I run a pretty largish network with 2 domain controllers. We've just
relocated our company to a large building so i've had this opportunity
to implement a solid network environment.
Until yesterday morning i had everything running great.
I split the netowork using organisational units and group policies.
e.g.
tech
sales
management
etc
all worked fine, the sales group all have very restricted privileges on
their workstations, tech could join domains and do general network
admin etc.
i thought that the icing on the cake would be to allow anyone in the
tech group to automatically logon with local administrator privileges
on any machine (theres around 200 workstations here) using their logon
(i know i should've just kept with using the local admin logon). So to
do this i added administrators to the restricted groups in the tech
group policy and made office tech (the security group which all techs
are members of) a member.
After forcing a gp update this seemed to work, all techs automatically
have local admin privileges on any workstation they logged onto, but
after a little analysis, i decided this was a little unsafe and removed
the restrictive group.
I did a few other little edits of other gp's (ive been tweaking the
network) but nothing major and nothing that should have any effect on
anything but now heres the problem.
When i log on as the domain administrator on any workstation, i no
longer have local administrative rights on that machine, unless i
rejoin the workstation to the domain, and i dont really want to have to
do that with 200+ machines when i've done it already.
Also, the tech group still always have local admin privileges on
workstations (even workstations they've never logged onto before) even
though non are members of any administrator group and i removed the
restrictive groups policy.
Just to make sure, ive just now created a fresh new tech user called
roger.rabbit
Here's the gpresult output
Microsoft (R) Windows (R) 2000 Operating System Group Policy Result
tool
Copyright (C) Microsoft Corp. 1981-1999
Created on Wednesday, March 08, 2006 at 12:26:13 PM
Operating System Information:
Operating System Type: Professional
Operating System Version: 5.0.2195.Service Pack 4
Terminal Server Mode: Not supported
###############################################################
User Group Policy results for:
CN=Roger Rabbit,OU=Tech,OU=Office,DC=reach,DC=local
Domain Name: REACH
Domain Type: Windows 2000
Site Name: Default-First-Site
Roaming profile: (None)
Local profile: C:\Documents and Settings\roger.rabbit
The user is a member of the following security groups:
REACH\Domain Users
\Everyone
BUILTIN\Users
BUILTIN\Administrators
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
\LOCAL
REACH\Office Tech
REACH\Office Admin
REACH\Office Dev
###############################################################
Last time Group Policy was applied: Wednesday, March 08, 2006 at
12:24:37 PM
===============================================================
The user received "Registry" settings from these GPOs:
Default Domain Policy
Tech
===============================================================
The user received "Internet Explorer Branding" settings from these
GPOs:
Default Domain Policy
Tech
###############################################################
Computer Group Policy results for:
CN=WS-008,CN=Computers,DC=reach,DC=local
Domain Name: REACH
Domain Type: Windows 2000
Site Name: Default-First-Site
The computer is a member of the following security groups:
BUILTIN\Administrators
\Everyone
BUILTIN\Users
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
REACH\WS-008$
REACH\Domain Computers
###############################################################
Last time Group Policy was applied: Wednesday, March 08, 2006 at
12:24:13 PM
Group Policy was applied from: svr-bdc.reach.local
===============================================================
The computer received "Registry" settings from these GPOs:
Local Group Policy
Default Domain Policy
===============================================================
The computer received "Security" settings from these GPOs:
Local Group Policy
Default Domain Policy
===============================================================
The computer received "EFS recovery" settings from these GPOs:
Local Group Policy
Default Domain Policy
Can anyone help me understand whats going on? I really dont want to
have to rebuild, and i used to feel that i understood win2000
networking pretty well but this has just stumpt me.
I appreciate any suggestions.
I run a pretty largish network with 2 domain controllers. We've just
relocated our company to a large building so i've had this opportunity
to implement a solid network environment.
Until yesterday morning i had everything running great.
I split the netowork using organisational units and group policies.
e.g.
tech
sales
management
etc
all worked fine, the sales group all have very restricted privileges on
their workstations, tech could join domains and do general network
admin etc.
i thought that the icing on the cake would be to allow anyone in the
tech group to automatically logon with local administrator privileges
on any machine (theres around 200 workstations here) using their logon
(i know i should've just kept with using the local admin logon). So to
do this i added administrators to the restricted groups in the tech
group policy and made office tech (the security group which all techs
are members of) a member.
After forcing a gp update this seemed to work, all techs automatically
have local admin privileges on any workstation they logged onto, but
after a little analysis, i decided this was a little unsafe and removed
the restrictive group.
I did a few other little edits of other gp's (ive been tweaking the
network) but nothing major and nothing that should have any effect on
anything but now heres the problem.
When i log on as the domain administrator on any workstation, i no
longer have local administrative rights on that machine, unless i
rejoin the workstation to the domain, and i dont really want to have to
do that with 200+ machines when i've done it already.
Also, the tech group still always have local admin privileges on
workstations (even workstations they've never logged onto before) even
though non are members of any administrator group and i removed the
restrictive groups policy.
Just to make sure, ive just now created a fresh new tech user called
roger.rabbit
Here's the gpresult output
Microsoft (R) Windows (R) 2000 Operating System Group Policy Result
tool
Copyright (C) Microsoft Corp. 1981-1999
Created on Wednesday, March 08, 2006 at 12:26:13 PM
Operating System Information:
Operating System Type: Professional
Operating System Version: 5.0.2195.Service Pack 4
Terminal Server Mode: Not supported
###############################################################
User Group Policy results for:
CN=Roger Rabbit,OU=Tech,OU=Office,DC=reach,DC=local
Domain Name: REACH
Domain Type: Windows 2000
Site Name: Default-First-Site
Roaming profile: (None)
Local profile: C:\Documents and Settings\roger.rabbit
The user is a member of the following security groups:
REACH\Domain Users
\Everyone
BUILTIN\Users
BUILTIN\Administrators
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
\LOCAL
REACH\Office Tech
REACH\Office Admin
REACH\Office Dev
###############################################################
Last time Group Policy was applied: Wednesday, March 08, 2006 at
12:24:37 PM
===============================================================
The user received "Registry" settings from these GPOs:
Default Domain Policy
Tech
===============================================================
The user received "Internet Explorer Branding" settings from these
GPOs:
Default Domain Policy
Tech
###############################################################
Computer Group Policy results for:
CN=WS-008,CN=Computers,DC=reach,DC=local
Domain Name: REACH
Domain Type: Windows 2000
Site Name: Default-First-Site
The computer is a member of the following security groups:
BUILTIN\Administrators
\Everyone
BUILTIN\Users
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
REACH\WS-008$
REACH\Domain Computers
###############################################################
Last time Group Policy was applied: Wednesday, March 08, 2006 at
12:24:13 PM
Group Policy was applied from: svr-bdc.reach.local
===============================================================
The computer received "Registry" settings from these GPOs:
Local Group Policy
Default Domain Policy
===============================================================
The computer received "Security" settings from these GPOs:
Local Group Policy
Default Domain Policy
===============================================================
The computer received "EFS recovery" settings from these GPOs:
Local Group Policy
Default Domain Policy
Can anyone help me understand whats going on? I really dont want to
have to rebuild, and i used to feel that i understood win2000
networking pretty well but this has just stumpt me.
I appreciate any suggestions.