Problem setting user permissions in active directory 2

[TRUCK0321]

I am running active directory on Windows 2000 server for a group of about 25 people. I took over this job from another IT company and unfortunately they were not willing to give me any info about the system. As far as I can tell Active Directory is setup correctly, however, if I change the membership of any user the changes are not reflected when they log on to their computer. In other words, I gave a user Administrator privileges and they still cannot change control panel settings. What could cause this kind of behavior? Thanks in advance,
Darin

 

[Claudek]

Could be local policy on the users machines are restrictive to what can or can't be shown. Even with admin rights, you cannot view hidden items designated by local policy. Run gpedit.msc from a command prompt or from the Run bar. Under the User Configuration navigate to Administrative Templates and look at the various options provided to see what is restricted and what is not. Starting at the Control Panel options would be a good start.
You should by the way get the owner of the company to request all documentation for your network from the previous IT company. I believe it may be illegal for them to supress any information which will affect business in a negative manner.



Claudius (What certifications??)

http://www.iteq.com.au

 

[raquetman75]

If you're not familiar with policies do the following.

Using "Active Directory Users and Computers" create a group "LocAdminGrp". Optionally you can assigned it to be a domain administrator group. The users that you want to be local administrator join it to this group.

Goto the workstation, Login as Domain Administrator:

Right click "My Computer"/Manage/Local Users And Groups/Groups/Double Click "Administrators"/Add/In the Box "Look In" Select your Domain /choose the user name or "LocAdminGrp" groups that you want to be a Local administrator.

 

[TRUCK0321]

All of the items under administrative templates say "not configured". BTW, I have about 6 brand new xp pro systems that that all have the same behavior. I tried dropping single user into the local admin group as per raquetman but no settings have changed, they still can't even change the time it takes to turn the monitor off. Isn't active directory supposed to be an single place where I can change user permissions easily? Also, when I log onto any of these systems as the domain administrator (the built-in admin) I have no problems. So I tried to make a couple users look exactly like my admin account, I even changed the computer membership to administrator, and still nothing. What could keep everyone from seeing the changes I'm making in AD?

 

[Claudek]

Well as local policies do not apply in your case and as your new machines have the same issue, it appears to be a Group Policy from the Active Directory side. have one of your users logon to their XP box. Open a command prompt and type gpresult
This will give you all the group policies that apply to the logged on user. It should also give you what changes and/or restrictions accompany each group policy. Once you have the result, just go to Active Directory Users and Computers, find the relevant entires and edit the security as to whom that policy should apply to. You could also disable the group policy if you wish.


Claudius (What certifications??)

http://www.iteq.com.au

 

[TRUCK0321]

Here is what it spit out, and it looks like it should have a lot more rights than it does:

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\phil>GPRESULT

Microsoft (R) Windows (R) XP Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001

Created On 7/2/2003 at 8:59:25 PM


RSOP results for NHSIE\phil on RICKNEW : Logging Mode
------------------------------------------------------

OS Type: Microsoft Windows XP Professional
OS Configuration: Member Workstation
OS Version: 5.1.2600
Domain Name: NHSIE
Domain Type: Windows 2000
Site Name: Default-First-Site-Name
Roaming Profile:
Local Profile: C:\Documents and Settings\phil
Connected over a slow link?: No


COMPUTER SETTINGS
------------------
CN=Ricknew,CN=Computers,DC=nhsie,DC=org
Last time Group Policy was applied: 7/2/2003 at 8:22:11 PM
Group Policy was applied from: sbsserver.nhsie.org
Group Policy slow link threshold: 500 kbps

Applied Group Policy Objects
-----------------------------
Default Domain Policy

The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Local Group Policy
Filtering: Not Applied (Empty)

The computer is a part of the following security groups:
--------------------------------------------------------
BUILTIN\Administrators
Everyone
Debugger Users
BUILTIN\Users
RICKNEW$
Domain Computers
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users


USER SETTINGS
--------------
CN=Phil,CN=Users,DC=nhsie,DC=org
Last time Group Policy was applied: 7/2/2003 at 8:01:21 PM
Group Policy was applied from: sbsserver.nhsie.org
Group Policy slow link threshold: 500 kbps

Applied Group Policy Objects
-----------------------------
Default Domain Policy

The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Local Group Policy
Filtering: Not Applied (Empty)

The user is a part of the following security groups:
----------------------------------------------------
Enterprise Admins
Everyone
BUILTIN\Users
LOCAL
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users

C:\Documents and Settings\phil>


It's strange though, AD says that phil is part of the administrator group and the enterprise admin group but administrator doesn't show up under the gpresult. Does this help?

 

[Claudek]

Just realised I forgot to include a switch in the gpresult reccomandation.
try again with gpresult /v
or gpresult /z

It will give more detailed info than what you have received including all policy applications. From what you have posted, seems you only have the default domain policy. You can go check it, basically same navigation as for the local policies but need to look at the properties for the default domain policy to start with.



Claudius (What certifications??)

http://www.iteq.com.au

 

[TRUCK0321]

Will the default domain policy override all the permissions associated with administrator membership? I can't check gpresult /v right now but should be able to later today, I'll let you know what it gives me.

 

[TRUCK0321]

Here are the results of the gpresult in super verbose mode.

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

Z:\>gpresult /z

Microsoft (R) Windows (R) XP Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001

Created On 7/7/2003 at 3:46:40 PM


RSOP results for NHSIE\solina on SOLINANEW : Logging Mode
----------------------------------------------------------

OS Type: Microsoft Windows XP Professional
OS Configuration: Member Workstation
OS Version: 5.1.2600
Domain Name: NHSIE
Domain Type: Windows 2000
Site Name: Default-First-Site-Name
Roaming Profile:
Local Profile: C:\Documents and Settings\solina
Connected over a slow link?: No


COMPUTER SETTINGS
------------------
CN=SOLINANEW,CN=Computers,DC=nhsie,DC=org
Last time Group Policy was applied: 7/7/2003 at 3:27:32 PM
Group Policy was applied from: sbsserver.nhsie.org
Group Policy slow link threshold: 500 kbps

Applied Group Policy Objects
-----------------------------
Default Domain Policy

The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Local Group Policy
Filtering: Not Applied (Empty)

The computer is a part of the following security groups:
--------------------------------------------------------
BUILTIN\Administrators
Everyone
Debugger Users
BUILTIN\Users
SOLINANEW$
Domain Computers
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users

Resultant Set Of Policies for Computer:
----------------------------------------

Software Installations
----------------------
N/A

Startup Scripts
---------------
N/A

Shutdown Scripts
----------------
N/A

Account Policies
----------------
GPO: Default Domain Policy
Policy: MinimumPasswordLength
Computer Setting: N/A

GPO: Default Domain Policy
Policy: LockoutBadCount
Computer Setting: N/A

Audit Policy
------------
N/A

User Rights
-----------
N/A

Security Options
----------------
GPO: Default Domain Policy
Policy: RequireLogonToChangePassword
Computer Setting: Not Enabled

GPO: Default Domain Policy
Policy: PasswordComplexity
Computer Setting: Not Enabled

GPO: Default Domain Policy
Policy: ForceLogoffWhenHourExpire
Computer Setting: Not Enabled

GPO: Default Domain Policy
Policy: ClearTextPassword
Computer Setting: Not Enabled

Event Log Settings
------------------
N/A

Restricted Groups
-----------------
N/A

System Services
---------------
N/A

Registry Settings
-----------------
N/A

File System Settings
--------------------
N/A

Public Key Policies
-------------------
N/A

Administrative Templates
------------------------
N/A


USER SETTINGS
--------------
CN=Solina Gonzalez,CN=Users,DC=nhsie,DC=org
Last time Group Policy was applied: 7/7/2003 at 3:36:47 PM
Group Policy was applied from: sbsserver.nhsie.org
Group Policy slow link threshold: 500 kbps

Applied Group Policy Objects
-----------------------------
Default Domain Policy

The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Local Group Policy
Filtering: Not Applied (Empty)

The user is a part of the following security groups:
----------------------------------------------------
Domain Users
Everyone
BUILTIN\Users
BackOffice Internet Users
LOCAL
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users

Resultant Set Of Policies for User:
------------------------------------

Software Installations
----------------------
N/A

Public Key Policies
-------------------
N/A

Administrative Templates
------------------------
N/A

Folder Redirection
------------------
N/A

Internet Explorer Browser User Interface
----------------------------------------
N/A

Internet Explorer Connection
----------------------------
N/A

Internet Explorer URLs
----------------------
N/A

Internet Explorer Security
--------------------------
N/A

Internet Explorer Programs
--------------------------
N/A

Z:

Does this help at all?

 

[exklusve]

Ok I'm kinda jumping in on this half way through.
So you have a 2K domain, and even with the new PC's you still have these restrictions.
I would say check your active directory. Check from top to bottom on all the OU's for group policys. Change them so they dont apply for an administrator or for the domain admin group, etc.
then login and see what happens.

 

[BWilson77080]

it looks like only your default domain policy applies to the particular computer you got those test results from. can domain admins get into control panel or anything? its more than likely a GPO issue, and something dumb too, like a GPO applied to authenticated users (which is the default) and not filtered.

as for local administrator accounts, if a GPO is set, then it doesn't matter what privelages they have on their local machine because domain overrides local machine policies, including privelages they are granted locally if I remember correctly. if the GPO applies to a group they are a member of, or applies to all authenticated users, then that GPO will stipulate what and when a user can do something on their local machine. in a domain, a local machine account means squat...

lemme know if this helped

 

[TRUCK0321]

Oh it was something stupid all right, I had these people included in the regular administrators group, NOT the domain admins group. Of course I don't want to leave them as Domain admins but at least I know why they couldn't even change control panel settings or install software. Thanks for all your help guys, this probably won't be the last time I need it.