Forum Search:
Forum.Brain-Cluster.com: Brain Cluster Technical Forum
Ultimate forum for Technical Discussions

Home » Microsoft » Windows Server » Active Directory » Group policy tatooing with restricted group ? or strange behaviour !
Group policy tatooing with restricted group ? or strange behaviour ! [message #157484] Wed, 08 July 2009 06:12 Go to next message
Eric  is currently offline Eric  Netherlands
Messages: 130
Registered: July 2009
Senior Member
Hello,

we have Windows 2000/Xp clients in our Active Directory.

Configuration 1 --> We had a GPO applied on computers that defined a
restricted group for BUILTIN\Administrators. (So, if a user wanted to
add himself to his local administrators group,his user account was
automatically removed from this group).

Configuration 2 --> During three months, we have changed this GPO and
the restricted group was defined witht the "member of" parameter so a
user was able to add himself to the local admin group.

Configuration 3 (= configuration 1) --> Then, as some of the users knew
the local admin password and have added without autorization to the
local admin group, we have configured the restricted group as before
(and so users are removed from the local admin group).

now the problem ...

If a user power on his computer with the network disabled or if the GPO
is not applied for any reason), the local admin group is identical to
what is was during the "configuration 2" and so some users are local
admin ...

Is it normal ?

Thank you

--
Eric
Re: Group policy tatooing with restricted group ? or strange behaviour ! [message #157486 is a reply to message #157484] Wed, 08 July 2009 06:34 Go to previous messageGo to next message
meiweb(nospam)  is currently offline meiweb(nospam)  Germany
Messages: 1307
Registered: July 2009
Senior Member
Hello Eric,

If the policy change is not applied because the machine was not on the domain
when you made the change, this is normal. To apply the new policy the machine
has to be connected toi the domain.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Hello,
>
> we have Windows 2000/Xp clients in our Active Directory.
>
> Configuration 1 --> We had a GPO applied on computers that defined a
> restricted group for BUILTIN\Administrators. (So, if a user wanted to
> add himself to his local administrators group,his user account was
> automatically removed from this group).
>
> Configuration 2 --> During three months, we have changed this GPO and
> the restricted group was defined witht the "member of" parameter so a
> user was able to add himself to the local admin group.
>
> Configuration 3 (= configuration 1) --> Then, as some of the users
> knew the local admin password and have added without autorization to
> the local admin group, we have configured the restricted group as
> before (and so users are removed from the local admin group).
>
> now the problem ...
>
> If a user power on his computer with the network disabled or if the
> GPO is not applied for any reason), the local admin group is identical
> to what is was during the "configuration 2" and so some users are
> local admin ...
>
> Is it normal ?
>
> Thank you
>
Re: Group policy tatooing with restricted group ? or strange behaviour ! [message #157495 is a reply to message #157484] Wed, 08 July 2009 08:16 Go to previous messageGo to next message
pbbergs  is currently offline pbbergs  United States
Messages: 1024
Registered: July 2009
Senior Member
First off as a general practice, you should be changing the admin password
on a regular basis. If someone has compromised the password then it should
be changed immediately.

As Meinolf already indicated you have to be connected to the domain for the
restriction policy to take effect.

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

"Eric" <Eric_m@nospam.hotmail.com> wrote in message
news:mn.42dc7d979b308568.70874@nospam.hotmail.com...
> Hello,
>
> we have Windows 2000/Xp clients in our Active Directory.
>
> Configuration 1 --> We had a GPO applied on computers that defined a
> restricted group for BUILTIN\Administrators. (So, if a user wanted to add
> himself to his local administrators group,his user account was
> automatically removed from this group).
>
> Configuration 2 --> During three months, we have changed this GPO and the
> restricted group was defined witht the "member of" parameter so a user was
> able to add himself to the local admin group.
>
> Configuration 3 (= configuration 1) --> Then, as some of the users knew
> the local admin password and have added without autorization to the local
> admin group, we have configured the restricted group as before (and so
> users are removed from the local admin group).
>
> now the problem ...
>
> If a user power on his computer with the network disabled or if the GPO is
> not applied for any reason), the local admin group is identical to what is
> was during the "configuration 2" and so some users are local admin ...
>
> Is it normal ?
>
> Thank you
>
> --
> Eric
>
>
Re: Group policy tatooing with restricted group ? or strange behaviour ! [message #157496 is a reply to message #157486] Wed, 08 July 2009 08:27 Go to previous messageGo to next message
Eric  is currently offline Eric  Netherlands
Messages: 130
Registered: July 2009
Senior Member
Thank you for your answer but perhaps I was not clear enough.

There is no policy change when the problem occured. The user is
retrieving an OLD group policy when it is not connected to the LAN.

If the user added his account during Configuration 2; then, even if the
configuration 3 deleted the user account that was in the admin group;
if the user unplugged the network and reboot, his old user account (in
configuration 2) is present in the local admin group.

I hope I am clear enough this time :)

thanks


> Hello Eric,
>
> If the policy change is not applied because the machine was not on the domain
> when you made the change, this is normal. To apply the new policy the machine
> has to be connected toi the domain.
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and confers
> no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>
>> Hello,
>>
>> we have Windows 2000/Xp clients in our Active Directory.
>>
>> Configuration 1 --> We had a GPO applied on computers that defined a
>> restricted group for BUILTIN\Administrators. (So, if a user wanted to
>> add himself to his local administrators group,his user account was
>> automatically removed from this group).
>>
>> Configuration 2 --> During three months, we have changed this GPO and
>> the restricted group was defined witht the "member of" parameter so a
>> user was able to add himself to the local admin group.
>>
>> Configuration 3 (= configuration 1) --> Then, as some of the users
>> knew the local admin password and have added without autorization to
>> the local admin group, we have configured the restricted group as
>> before (and so users are removed from the local admin group).
>>
>> now the problem ...
>>
>> If a user power on his computer with the network disabled or if the
>> GPO is not applied for any reason), the local admin group is identical
>> to what is was during the "configuration 2" and so some users are
>> local admin ...
>>
>> Is it normal ?
>>
>> Thank you
>>

--
Eric
Re: Group policy tatooing with restricted group ? or strange behaviour ! [message #157499 is a reply to message #157496] Wed, 08 July 2009 09:24 Go to previous messageGo to next message
meiweb(nospam)  is currently offline meiweb(nospam)  Germany
Messages: 1307
Registered: July 2009
Senior Member
Hello Eric,

Run after the 3rd change when the user is logged in rsop and check if the
policy is apllied with the correct setting.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Thank you for your answer but perhaps I was not clear enough.
>
> There is no policy change when the problem occured. The user is
> retrieving an OLD group policy when it is not connected to the LAN.
>
> If the user added his account during Configuration 2; then, even if
> the configuration 3 deleted the user account that was in the admin
> group; if the user unplugged the network and reboot, his old user
> account (in configuration 2) is present in the local admin group.
>
> I hope I am clear enough this time :)
>
> thanks
>
>> Hello Eric,
>>
>> If the policy change is not applied because the machine was not on
>> the domain when you made the change, this is normal. To apply the new
>> policy the machine has to be connected toi the domain.
>>
>> Best regards
>>
>> Meinolf Weber
>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> confers
>> no rights.
>> ** Please do NOT email, only reply to Newsgroups
>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>> Hello,
>>>
>>> we have Windows 2000/Xp clients in our Active Directory.
>>>
>>> Configuration 1 --> We had a GPO applied on computers that defined a
>>> restricted group for BUILTIN\Administrators. (So, if a user wanted
>>> to add himself to his local administrators group,his user account
>>> was automatically removed from this group).
>>>
>>> Configuration 2 --> During three months, we have changed this GPO
>>> and the restricted group was defined witht the "member of" parameter
>>> so a user was able to add himself to the local admin group.
>>>
>>> Configuration 3 (= configuration 1) --> Then, as some of the users
>>> knew the local admin password and have added without autorization to
>>> the local admin group, we have configured the restricted group as
>>> before (and so users are removed from the local admin group).
>>>
>>> now the problem ...
>>>
>>> If a user power on his computer with the network disabled or if the
>>> GPO is not applied for any reason), the local admin group is
>>> identical to what is was during the "configuration 2" and so some
>>> users are local admin ...
>>>
>>> Is it normal ?
>>>
>>> Thank you
>>>
Re: Group policy tatooing with restricted group ? or strange behaviour ! [message #157635 is a reply to message #157495] Fri, 10 July 2009 04:24 Go to previous messageGo to next message
Eric  is currently offline Eric  Netherlands
Messages: 130
Registered: July 2009
Senior Member
I agree but my question is "how can I define the "default" users that
have to be member of the local admin group when the computer is not
connected on the network and so the group policy is not applied?

Thank you

> First off as a general practice, you should be changing the admin password on
> a regular basis. If someone has compromised the password then it should be
> changed immediately.
>
> As Meinolf already indicated you have to be connected to the domain for the
> restriction policy to take effect.
>
> --
> Paul Bergson
> MVP - Directory Services
> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
> 2008, 2003, 2000 (Early Achiever), NT4
> Microsoft's Thrive IT Pro of the Month - June 2009
>
> http://www.pbbergs.com
>
> Please no e-mails, any questions should be posted in the NewsGroup This
> posting is provided "AS IS" with no warranties, and confers no rights.
>
> "Eric" <Eric_m@nospam.hotmail.com> wrote in message
> news:mn.42dc7d979b308568.70874@nospam.hotmail.com...
>> Hello,
>>
>> we have Windows 2000/Xp clients in our Active Directory.
>>
>> Configuration 1 --> We had a GPO applied on computers that defined a
>> restricted group for BUILTIN\Administrators. (So, if a user wanted to add
>> himself to his local administrators group,his user account was
>> automatically removed from this group).
>>
>> Configuration 2 --> During three months, we have changed this GPO and the
>> restricted group was defined witht the "member of" parameter so a user was
>> able to add himself to the local admin group.
>>
>> Configuration 3 (= configuration 1) --> Then, as some of the users knew the
>> local admin password and have added without autorization to the local admin
>> group, we have configured the restricted group as before (and so users are
>> removed from the local admin group).
>>
>> now the problem ...
>>
>> If a user power on his computer with the network disabled or if the GPO is
>> not applied for any reason), the local admin group is identical to what is
>> was during the "configuration 2" and so some users are local admin ...
>>
>> Is it normal ?
>>
>> Thank you
>>
>> -- Eric
>>
>>

--
Eric
Re: Group policy tatooing with restricted group ? or strange behaviour ! [message #157640 is a reply to message #157635] Fri, 10 July 2009 08:28 Go to previous message
pbbergs  is currently offline pbbergs  United States
Messages: 1024
Registered: July 2009
Senior Member
The only way I can think of that would work is you write a script and then
create a scheduled task that runs at boot up to place the users you want in
the groups they need to reside in. But you will have to manage every laptop
for the users within the groups.

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

"Eric" <Eric_m@nospam.hotmail.com> wrote in message
news:mn.52707d976a618840.70874@nospam.hotmail.com...
>I agree but my question is "how can I define the "default" users that have
>to be member of the local admin group when the computer is not connected on
>the network and so the group policy is not applied?
>
> Thank you
>
>> First off as a general practice, you should be changing the admin
>> password on a regular basis. If someone has compromised the password
>> then it should be changed immediately.
>>
>> As Meinolf already indicated you have to be connected to the domain for
>> the restriction policy to take effect.
>>
>> --
>> Paul Bergson
>> MVP - Directory Services
>> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
>> 2008, 2003, 2000 (Early Achiever), NT4
>> Microsoft's Thrive IT Pro of the Month - June 2009
>>
>> http://www.pbbergs.com
>>
>> Please no e-mails, any questions should be posted in the NewsGroup This
>> posting is provided "AS IS" with no warranties, and confers no rights.
>>
>> "Eric" <Eric_m@nospam.hotmail.com> wrote in message
>> news:mn.42dc7d979b308568.70874@nospam.hotmail.com...
>>> Hello,
>>>
>>> we have Windows 2000/Xp clients in our Active Directory.
>>>
>>> Configuration 1 --> We had a GPO applied on computers that defined a
>>> restricted group for BUILTIN\Administrators. (So, if a user wanted to
>>> add himself to his local administrators group,his user account was
>>> automatically removed from this group).
>>>
>>> Configuration 2 --> During three months, we have changed this GPO and
>>> the restricted group was defined witht the "member of" parameter so a
>>> user was able to add himself to the local admin group.
>>>
>>> Configuration 3 (= configuration 1) --> Then, as some of the users knew
>>> the local admin password and have added without autorization to the
>>> local admin group, we have configured the restricted group as before
>>> (and so users are removed from the local admin group).
>>>
>>> now the problem ...
>>>
>>> If a user power on his computer with the network disabled or if the GPO
>>> is not applied for any reason), the local admin group is identical to
>>> what is was during the "configuration 2" and so some users are local
>>> admin ...
>>>
>>> Is it normal ?
>>>
>>> Thank you
>>>
>>> -- Eric
>>>
>>>
>
> --
> Eric
>
>
Previous Topic:Domain Controller Problem after force removal
Next Topic:Netbios name displayed instead of the FQDN name in DHCP console ?
Goto Forum:
  


Current Time: Fri Oct 20 02:59:37 EDT 2017

Total time taken to generate the page: 0.04041 seconds
.:: Contact :: Home ::Sitemap::.

Powered by: FUDforum 3.0.0RC2.
Copyright ©2001-2009 FUDforum Bulletin Board Software