Local Group Policy Set to None Existing Account

[thankgodfortektips]

Hi All,

I have an XP pro machine that was taken from a different domain and joined to my current domain. The problem that I am having is that the machine has a local policy set on it, which is making me getting 'You do not have sufficient security privileges' messages when trying to install new hardware.

I have tracked it down in the local group policy that under computer configuration-windows settings--security settings-local policies--User Rights Assignment--Load and unload device drivers... has a *S-1-5-... which makes me think that this policy is looking for an account that no longer exists.

I need to add the domain administrator or at least the current local admin account to this option but when I double click on the policy object the 'Add User or Group' box is not enabled.

Is there a way to take ownership of an entire computer?

Thanks

 

[linney]

Is the "Remove" tab available?


Look at the tool NTrights.
NTRIGHTS.exe (Resource Kit, 2000/2003)

http://www.ss64.com/nt/ntrights.html

How To Reset Security Settings Back to the Defaults

http://support.microsoft.com/?id=313222#appliesto

Have a look at the John Hueglin tip in this post, not sure whether you can do anything with it but it is worth knowing about.

How to launch reg file
thread779-1040119


Well-known security identifiers in Windows operating systems

http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q243330

HOW TO: Take Ownership of a File or Folder in Windows XP (Q308421)

http://support.microsoft.com/support/kb/articles/q308/4/21.asp

 

[irigoyena]

SO you are not the local admin on that pc?

 

[thankgodfortektips]

well, yes and know. If I go to local user and groups, it shows my domain admin account listed. But as said above, I can not add driver etc.

And also the remove tab is not available.

 

[DaveC84]

Can you change any other part of the policy?

 

[irigoyena]

Can you reset the password of the local admin and login as such?

I hope you find this post helpful.

Regards,

Iggy
MCSE, MCSA:Messaging, A+, Network +

 

[thankgodfortektips]

thanks for the reponses guys, I am not at the machine now, and can not remember if I can change any other part of the policy... I will try it asap.

I have tried resetting the local admin password and logging in, but still not good.

 

[thankgodfortektips]

Hi All,

I am back at the machine now... I can change other areas of the local policy, and there is only this one option of the policy that has the SID instead of a valid user...

I have noticed that this is on a different machine at the same client. I only recently took over this client and I am wondering could this be something that was done wrong when they were switched from workgroup to domain?

thanks in advance

 

[irigoyena]

Sounds to me like it's a GPO that's affecting those clients? Are you a Domain admin or OU admin?

I hope you find this post helpful.

Regards,

Iggy
MCSE, MCSA:Messaging, A+, Network +

 

[DaveC84]

If it is on a domain I think you can set it in the OU to ignore any other GPO then the on set at OU or Domain level.

If you set that specific setting in a Group policy that will apply to the pc and then when you are looking at the group policy tab, highlight the gpo click options and select no override.

This will affect every computer in the OU and unfortunately I've never used it so don't know how well it works so you'll have to test it.

Hope this helps

 

[irigoyena]

I would be sure to see what GPOs are affecting the OU your computer in and see if one of the settings in any of those GPOs are the cause of the problem...

I hope you find this post helpful.

Regards,

Iggy
MCSE, MCSA:Messaging, A+, Network +