Domain Users/Restrict to User Access Only.

We're currently running a Server 2003 and looking to tighten up our
security. One thing that I know has happened in the past is that certain
PC's have had accounts created for domain users and they've been left with
full Admin privlages.

Is there a simple way, via Group Policy perhaps that I can knock all these
accounts back down to User Only access? If not my only alternative is to go
around some 200 machines and change them manually.

Thanks in advance, Andrew.

Hello Andrew,

Assuming that you talk about user accounts being in the local administrators
group you can use Restricted groups to remove/replace them with the needed
accounts:
http://www.frickelsoft.net/blog/?p=13

Keep attention on the "Members of this group" and "This group is a member
of", to find your way.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> We're currently running a Server 2003 and looking to tighten up our
> security. One thing that I know has happened in the past is that
> certain PC's have had accounts created for domain users and they've
> been left with full Admin privlages.
>
> Is there a simple way, via Group Policy perhaps that I can knock all
> these accounts back down to User Only access? If not my only
> alternative is to go around some 200 machines and change them
> manually.
>
> Thanks in advance, Andrew.
>

Thanks for the reply. I've read through the guide, but must be missing
something.

I've created a GPO that is applying. I'm using "Members of the group" to
leave only Administrator in the admin group and for test purposes I'm
setting my own account to user. My account started as admin, GPO was
applied on restart and my domain account show's as user. But I can still
modify the system and install apps as if I'm a full administrator??

Any pointers on where I may have gone wrong?

Thanks, Andrew

"Meinolf Weber [MVP-DS]" <meiweb(nospam)@gmx.de> wrote in message
news:ff16fb661c90b8cb705b32792d74@msnews.microsoft.com...
> Hello Andrew,
>
> Assuming that you talk about user accounts being in the local
> administrators group you can use Restricted groups to remove/replace them
> with the needed accounts:
> http://www.frickelsoft.net/blog/?p=13
>
> Keep attention on the "Members of this group" and "This group is a member
> of", to find your way.
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and
> confers no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>> We're currently running a Server 2003 and looking to tighten up our
>> security. One thing that I know has happened in the past is that
>> certain PC's have had accounts created for domain users and they've
>> been left with full Admin privlages.
>>
>> Is there a simple way, via Group Policy perhaps that I can knock all
>> these accounts back down to User Only access? If not my only
>> alternative is to go around some 200 machines and change them
>> manually.
>>
>> Thanks in advance, Andrew.
>>
>
>

Hello Andrew,

Did you check the Administrators group in Local users and groups on the client
machine? What members are in that group?

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Thanks for the reply. I've read through the guide, but must be
> missing something.
>
> I've created a GPO that is applying. I'm using "Members of the group"
> to leave only Administrator in the admin group and for test purposes
> I'm setting my own account to user. My account started as admin, GPO
> was applied on restart and my domain account show's as user. But I
> can still modify the system and install apps as if I'm a full
> administrator??
>
> Any pointers on where I may have gone wrong?
>
> Thanks, Andrew
>
> "Meinolf Weber [MVP-DS]" <meiweb(nospam)@gmx.de> wrote in message
> news:ff16fb661c90b8cb705b32792d74@msnews.microsoft.com...
>
>> Hello Andrew,
>>
>> Assuming that you talk about user accounts being in the local
>> administrators group you can use Restricted groups to remove/replace
>> them
>> with the needed accounts:
>> http://www.frickelsoft.net/blog/?p=13
>> Keep attention on the "Members of this group" and "This group is a
>> member of", to find your way.
>>
>> Best regards
>>
>> Meinolf Weber
>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> confers no rights.
>> ** Please do NOT email, only reply to Newsgroups
>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>> We're currently running a Server 2003 and looking to tighten up our
>>> security. One thing that I know has happened in the past is that
>>> certain PC's have had accounts created for domain users and they've
>>> been left with full Admin privlages.
>>>
>>> Is there a simple way, via Group Policy perhaps that I can knock all
>>> these accounts back down to User Only access? If not my only
>>> alternative is to go around some 200 machines and change them
>>> manually.
>>>
>>> Thanks in advance, Andrew.
>>>

Andrew,
review Security Options, User Right Assignments, and custom permissions
applicable to the target computer...

hth
Marcin

"Andrew Staley" <no-reply@spam.com> wrote in message
news:9D314CBD-D581-4D22-B4E8-BF9C2F152343@microsoft.com...
>
> Thanks for the reply. I've read through the guide, but must be missing
> something.
>
> I've created a GPO that is applying. I'm using "Members of the group" to
> leave only Administrator in the admin group and for test purposes I'm
> setting my own account to user. My account started as admin, GPO was
> applied on restart and my domain account show's as user. But I can still
> modify the system and install apps as if I'm a full administrator??
>
> Any pointers on where I may have gone wrong?
>
> Thanks, Andrew
>
> "Meinolf Weber [MVP-DS]" <meiweb(nospam)@gmx.de> wrote in message
> news:ff16fb661c90b8cb705b32792d74@msnews.microsoft.com...
>> Hello Andrew,
>>
>> Assuming that you talk about user accounts being in the local
>> administrators group you can use Restricted groups to remove/replace them
>> with the needed accounts:
>> http://www.frickelsoft.net/blog/?p=13
>>
>> Keep attention on the "Members of this group" and "This group is a member
>> of", to find your way.
>>
>> Best regards
>>
>> Meinolf Weber
>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> confers no rights.
>> ** Please do NOT email, only reply to Newsgroups
>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>
>>> We're currently running a Server 2003 and looking to tighten up our
>>> security. One thing that I know has happened in the past is that
>>> certain PC's have had accounts created for domain users and they've
>>> been left with full Admin privlages.
>>>
>>> Is there a simple way, via Group Policy perhaps that I can knock all
>>> these accounts back down to User Only access? If not my only
>>> alternative is to go around some 200 machines and change them
>>> manually.
>>>
>>> Thanks in advance, Andrew.
>>>
>>
>>
>

I checked the Security Options and all these are undefined.

I've gone into Computer Management and checked Administrator, my username
isn't shown there only Administrator. I've checked User and my username is
shown there.

I've then run "gpresult" and it show's that the policy has applied. Same
with the GPResult Wizard on the DC.

Within the GPO I've created two group names, Administrators, which contains
under "Member of the Group" DOMAIN_NAME\Administrator. And Users also under
the same sction containing DOMAIN_NAME\My Username.

On the PC Administrators/Users show exactly as defined above. No local
accounts, just those I've defined above. Could this be part of the problem?

AStaley.

"Marcin" <marcin@community.nospam> wrote in message
news:OzP42xooJHA.1172@TK2MSFTNGP05.phx.gbl...
> Andrew,
> review Security Options, User Right Assignments, and custom permissions
> applicable to the target computer...
>
> hth
> Marcin
>
> "Andrew Staley" <no-reply@spam.com> wrote in message
> news:9D314CBD-D581-4D22-B4E8-BF9C2F152343@microsoft.com...
>>
>> Thanks for the reply. I've read through the guide, but must be missing
>> something.
>>
>> I've created a GPO that is applying. I'm using "Members of the group" to
>> leave only Administrator in the admin group and for test purposes I'm
>> setting my own account to user. My account started as admin, GPO was
>> applied on restart and my domain account show's as user. But I can still
>> modify the system and install apps as if I'm a full administrator??
>>
>> Any pointers on where I may have gone wrong?
>>
>> Thanks, Andrew
>>
>> "Meinolf Weber [MVP-DS]" <meiweb(nospam)@gmx.de> wrote in message
>> news:ff16fb661c90b8cb705b32792d74@msnews.microsoft.com...
>>> Hello Andrew,
>>>
>>> Assuming that you talk about user accounts being in the local
>>> administrators group you can use Restricted groups to remove/replace
>>> them with the needed accounts:
>>> http://www.frickelsoft.net/blog/?p=13
>>>
>>> Keep attention on the "Members of this group" and "This group is a
>>> member of", to find your way.
>>>
>>> Best regards
>>>
>>> Meinolf Weber
>>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>>> confers no rights.
>>> ** Please do NOT email, only reply to Newsgroups
>>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>>
>>>> We're currently running a Server 2003 and looking to tighten up our
>>>> security. One thing that I know has happened in the past is that
>>>> certain PC's have had accounts created for domain users and they've
>>>> been left with full Admin privlages.
>>>>
>>>> Is there a simple way, via Group Policy perhaps that I can knock all
>>>> these accounts back down to User Only access? If not my only
>>>> alternative is to go around some 200 machines and change them
>>>> manually.
>>>>
>>>> Thanks in advance, Andrew.
>>>>
>>>
>>>
>>
>
>

Hello Andrew,

Use "Members of this group" and add there the accounts that should be local
admin, that's all. Other existing local admins will be removed with this
setting.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> I checked the Security Options and all these are undefined.
>
> I've gone into Computer Management and checked Administrator, my
> username isn't shown there only Administrator. I've checked User and
> my username is shown there.
>
> I've then run "gpresult" and it show's that the policy has applied.
> Same with the GPResult Wizard on the DC.
>
> Within the GPO I've created two group names, Administrators, which
> contains under "Member of the Group" DOMAIN_NAME\Administrator. And
> Users also under the same sction containing DOMAIN_NAME\My Username.
>
> On the PC Administrators/Users show exactly as defined above. No
> local accounts, just those I've defined above. Could this be part of
> the problem?
>
> AStaley.
>
> "Marcin" <marcin@community.nospam> wrote in message
> news:OzP42xooJHA.1172@TK2MSFTNGP05.phx.gbl...
>
>> Andrew,
>> review Security Options, User Right Assignments, and custom
>> permissions
>> applicable to the target computer...
>> hth
>> Marcin
>> "Andrew Staley" <no-reply@spam.com> wrote in message
>> news:9D314CBD-D581-4D22-B4E8-BF9C2F152343@microsoft.com...
>>
>>> Thanks for the reply. I've read through the guide, but must be
>>> missing something.
>>>
>>> I've created a GPO that is applying. I'm using "Members of the
>>> group" to leave only Administrator in the admin group and for test
>>> purposes I'm setting my own account to user. My account started as
>>> admin, GPO was applied on restart and my domain account show's as
>>> user. But I can still modify the system and install apps as if I'm
>>> a full administrator??
>>>
>>> Any pointers on where I may have gone wrong?
>>>
>>> Thanks, Andrew
>>>
>>> "Meinolf Weber [MVP-DS]" <meiweb(nospam)@gmx.de> wrote in message
>>> news:ff16fb661c90b8cb705b32792d74@msnews.microsoft.com...
>>>
>>>> Hello Andrew,
>>>>
>>>> Assuming that you talk about user accounts being in the local
>>>> administrators group you can use Restricted groups to
>>>> remove/replace
>>>> them with the needed accounts:
>>>> http://www.frickelsoft.net/blog/?p=13
>>>> Keep attention on the "Members of this group" and "This group is a
>>>> member of", to find your way.
>>>>
>>>> Best regards
>>>>
>>>> Meinolf Weber
>>>> Disclaimer: This posting is provided "AS IS" with no warranties,
>>>> and
>>>> confers no rights.
>>>> ** Please do NOT email, only reply to Newsgroups
>>>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>>>> We're currently running a Server 2003 and looking to tighten up
>>>>> our security. One thing that I know has happened in the past is
>>>>> that certain PC's have had accounts created for domain users and
>>>>> they've been left with full Admin privlages.
>>>>>
>>>>> Is there a simple way, via Group Policy perhaps that I can knock
>>>>> all these accounts back down to User Only access? If not my only
>>>>> alternative is to go around some 200 machines and change them
>>>>> manually.
>>>>>
>>>>> Thanks in advance, Andrew.
>>>>>

That worked perfectly. Thank you for you help.

Andrew.

"Meinolf Weber [MVP-DS]" <meiweb(nospam)@gmx.de> wrote in message
news:ff16fb661cbc88cb718433ec7387@msnews.microsoft.com...
> Hello Andrew,
>
> Use "Members of this group" and add there the accounts that should be
> local admin, that's all. Other existing local admins will be removed with
> this setting.
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and
> confers no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>> I checked the Security Options and all these are undefined.
>>
>> I've gone into Computer Management and checked Administrator, my
>> username isn't shown there only Administrator. I've checked User and
>> my username is shown there.
>>
>> I've then run "gpresult" and it show's that the policy has applied.
>> Same with the GPResult Wizard on the DC.
>>
>> Within the GPO I've created two group names, Administrators, which
>> contains under "Member of the Group" DOMAIN_NAME\Administrator. And
>> Users also under the same sction containing DOMAIN_NAME\My Username.
>>
>> On the PC Administrators/Users show exactly as defined above. No
>> local accounts, just those I've defined above. Could this be part of
>> the problem?
>>
>> AStaley.
>>
>> "Marcin" <marcin@community.nospam> wrote in message
>> news:OzP42xooJHA.1172@TK2MSFTNGP05.phx.gbl...
>>
>>> Andrew,
>>> review Security Options, User Right Assignments, and custom
>>> permissions
>>> applicable to the target computer...
>>> hth
>>> Marcin
>>> "Andrew Staley" <no-reply@spam.com> wrote in message
>>> news:9D314CBD-D581-4D22-B4E8-BF9C2F152343@microsoft.com...
>>>
>>>> Thanks for the reply. I've read through the guide, but must be
>>>> missing something.
>>>>
>>>> I've created a GPO that is applying. I'm using "Members of the
>>>> group" to leave only Administrator in the admin group and for test
>>>> purposes I'm setting my own account to user. My account started as
>>>> admin, GPO was applied on restart and my domain account show's as
>>>> user. But I can still modify the system and install apps as if I'm
>>>> a full administrator??
>>>>
>>>> Any pointers on where I may have gone wrong?
>>>>
>>>> Thanks, Andrew
>>>>
>>>> "Meinolf Weber [MVP-DS]" <meiweb(nospam)@gmx.de> wrote in message
>>>> news:ff16fb661c90b8cb705b32792d74@msnews.microsoft.com...
>>>>
>>>>> Hello Andrew,
>>>>>
>>>>> Assuming that you talk about user accounts being in the local
>>>>> administrators group you can use Restricted groups to
>>>>> remove/replace
>>>>> them with the needed accounts:
>>>>> http://www.frickelsoft.net/blog/?p=13
>>>>> Keep attention on the "Members of this group" and "This group is a
>>>>> member of", to find your way.
>>>>>
>>>>> Best regards
>>>>>
>>>>> Meinolf Weber
>>>>> Disclaimer: This posting is provided "AS IS" with no warranties,
>>>>> and
>>>>> confers no rights.
>>>>> ** Please do NOT email, only reply to Newsgroups
>>>>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>>>>> We're currently running a Server 2003 and looking to tighten up
>>>>>> our security. One thing that I know has happened in the past is
>>>>>> that certain PC's have had accounts created for domain users and
>>>>>> they've been left with full Admin privlages.
>>>>>>
>>>>>> Is there a simple way, via Group Policy perhaps that I can knock
>>>>>> all these accounts back down to User Only access? If not my only
>>>>>> alternative is to go around some 200 machines and change them
>>>>>> manually.
>>>>>>
>>>>>> Thanks in advance, Andrew.
>>>>>>
>
>

Hello Andrew,

Nice to hear, thanks for the feedback.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> That worked perfectly. Thank you for you help.
>
> Andrew.
>
> "Meinolf Weber [MVP-DS]" <meiweb(nospam)@gmx.de> wrote in message
> news:ff16fb661cbc88cb718433ec7387@msnews.microsoft.com...
>
>> Hello Andrew,
>>
>> Use "Members of this group" and add there the accounts that should be
>> local admin, that's all. Other existing local admins will be removed
>> with this setting.
>>
>> Best regards
>>
>> Meinolf Weber
>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> confers no rights.
>> ** Please do NOT email, only reply to Newsgroups
>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>> I checked the Security Options and all these are undefined.
>>>
>>> I've gone into Computer Management and checked Administrator, my
>>> username isn't shown there only Administrator. I've checked User
>>> and my username is shown there.
>>>
>>> I've then run "gpresult" and it show's that the policy has applied.
>>> Same with the GPResult Wizard on the DC.
>>>
>>> Within the GPO I've created two group names, Administrators, which
>>> contains under "Member of the Group" DOMAIN_NAME\Administrator. And
>>> Users also under the same sction containing DOMAIN_NAME\My Username.
>>>
>>> On the PC Administrators/Users show exactly as defined above. No
>>> local accounts, just those I've defined above. Could this be part
>>> of the problem?
>>>
>>> AStaley.
>>>
>>> "Marcin" <marcin@community.nospam> wrote in message
>>> news:OzP42xooJHA.1172@TK2MSFTNGP05.phx.gbl...
>>>
>>>> Andrew,
>>>> review Security Options, User Right Assignments, and custom
>>>> permissions
>>>> applicable to the target computer...
>>>> hth
>>>> Marcin
>>>> "Andrew Staley" <no-reply@spam.com> wrote in message
>>>> news:9D314CBD-D581-4D22-B4E8-BF9C2F152343@microsoft.com...
>>>>> Thanks for the reply. I've read through the guide, but must be
>>>>> missing something.
>>>>>
>>>>> I've created a GPO that is applying. I'm using "Members of the
>>>>> group" to leave only Administrator in the admin group and for test
>>>>> purposes I'm setting my own account to user. My account started
>>>>> as admin, GPO was applied on restart and my domain account show's
>>>>> as user. But I can still modify the system and install apps as if
>>>>> I'm a full administrator??
>>>>>
>>>>> Any pointers on where I may have gone wrong?
>>>>>
>>>>> Thanks, Andrew
>>>>>
>>>>> "Meinolf Weber [MVP-DS]" <meiweb(nospam)@gmx.de> wrote in message
>>>>> news:ff16fb661c90b8cb705b32792d74@msnews.microsoft.com...
>>>>>
>>>>>> Hello Andrew,
>>>>>>
>>>>>> Assuming that you talk about user accounts being in the local
>>>>>> administrators group you can use Restricted groups to
>>>>>> remove/replace
>>>>>> them with the needed accounts:
>>>>>> http://www.frickelsoft.net/blog/?p=13
>>>>>> Keep attention on the "Members of this group" and "This group is
>>>>>> a
>>>>>> member of", to find your way.
>>>>>> Best regards
>>>>>>
>>>>>> Meinolf Weber
>>>>>> Disclaimer: This posting is provided "AS IS" with no warranties,
>>>>>> and
>>>>>> confers no rights.
>>>>>> ** Please do NOT email, only reply to Newsgroups
>>>>>> ** HELP us help YOU!!!
>>>>>> http://www.blakjak.demon.co.uk/mul_crss.htm
>>>>>>> We're currently running a Server 2003 and looking to tighten up
>>>>>>> our security. One thing that I know has happened in the past is
>>>>>>> that certain PC's have had accounts created for domain users and
>>>>>>> they've been left with full Admin privlages.
>>>>>>>
>>>>>>> Is there a simple way, via Group Policy perhaps that I can knock
>>>>>>> all these accounts back down to User Only access? If not my
>>>>>>> only alternative is to go around some 200 machines and change
>>>>>>> them manually.
>>>>>>>
>>>>>>> Thanks in advance, Andrew.
>>>>>>>