Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Local Policy

Status
Not open for further replies.
RonCSS

RonCSS

IS-IT--Management
Joined
Nov 14, 2002
Messages
14
Location
US
A user has set a policy on their machine so the domain admin has no access to any of the policy settings or any other settings. I need to create a group policy that will not allow anyone to change the local admin password nor lock the domain admin out of anything. Any suggestions?

Thanks.
 
Sort by date Sort by votes
I would disagree with Matt on this one, Deny locally will deny users the right to access their computers.

Was this user a domain admin or local admin?

Sounds like they were granted local or domain admin rights. I would prevent them access to doing this by making them a domain user. If you need to grant elevated privlages, make the users Power Users. Domain users and local Power Users don't have access to the GPO mmc nor can they access the local security policy.

Further more, rename the Admin account through a GPO and enable the Restricted Groups policy to only allow those in the group can be admins. Furthermore, disable the mmc program to domain Users.

Hewissa

MCSE, CCNA, CIW
 
Upvote 0 Downvote
Yes, they were a domain admin. I don't know why, another admin had given them the rights. :( I can make them power users. If i do this, how do change the local policy back to the domain admin having full rights to the machine?
 
Upvote 0 Downvote
To prevent this I would envoke the Restricted Groups Policy so that only you can "Grant" admin rights, and only those in the Restricted Group would be admins.

As for the local policy, you could replace the policy template. Either configure one from a different machine or replace it with an original template.


Hewissa

MCSE, CCNA, CIW
 
Upvote 0 Downvote
Yes Matt, an attempt to log on with this policy enabled would result in the error "The local policy of this system does not permit you to logon interactively". If it is applied at the Domain level then it would affect all computers (unless an ou has blocked it).

rmagers, I found the steps to replace the local policy:

1. Connect to the problem computer with a Net use x: \\ProblemComputerName\C$ <Password> /u:Administrator

2. Navigate to the %SystemRoot%\Security\Database folder.

3. Rename Secedit.sdb to Secedit.old_sdb.

4. Copy an operational Secedit.sdb from a Windows 2000 platform of the same edition (Server to Server or Professional to Professional).

5. Shutdown and restart the problem computer.

Hewissa

MCSE, CCNA, CIW
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

tscstl
  • Locked
  • Question Question
access to local folder
Replies
1
Views
548
hairlessupportmonkey
hairlessupportmonkey
rrmcguire
  • Locked
  • Question Question
group policy to set dns
Replies
2
Views
583
rrmcguire
rrmcguire
froyed05
  • Locked
  • Question Question
DFSR local setting
Replies
0
Views
214
froyed05
froyed05
RdFromK
  • Locked
  • Question Question
GroupPolicy error 1065 with Windows SBS CSE Policy
Replies
2
Views
552
RdFromK
RdFromK
phil3000
  • Locked
  • Question Question
Screensaver Via Group Policy
Replies
1
Views
388
markdmac
markdmac

Part and Inventory Search

Sponsor

Back
Top