Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Manually added user rights assignments

0 views
Skip to first unread message

Harrison Blackwood

unread,
Oct 5, 2004, 5:19:05 PM10/5/04
to
Have been trying to add the buit-in Admin accounts of my members servers to
Computer Configuration\Windows Settings\Security Settings\Local
Policies\User Rights Assignment\Deny access to this computer from the network.

Thus far have been unable to.
1. Tried logging on to the members servers using the Domain Admin account
and then adding the local admins to the policy. Was unable to access the
local built-in account to add it to the policy.
2. Tried logging in as the built-in admin, but was then unable launch the
ADUC.

Would someone please tell me what it is I am missing or not grasping?

Thank you,

Harrison

Mark Renoden [MSFT]

unread,
Oct 5, 2004, 7:52:03 PM10/5/04
to
Hi Harrison

Which policy are you attempting to edit? If it's a policy that applies to
some part of the AD (domain or OU), you won't be able to add local accounts
because those specific accounts are meaningless to all other machines.

If you're editing the local security policy, this should work. You just
need to click on "Locations" in the "Select Users and Groups" dialog and
choose the member server from the list.

Kind regards
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: mark...@online.microsoft.com

Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.

This posting is provided "AS IS" with no warranties, and confers no rights.

"Harrison Blackwood" <Harrison...@discussions.microsoft.com> wrote in
message news:C469D2C1-EF33-4288...@microsoft.com...

Roger Abell

unread,
Oct 6, 2004, 10:19:41 AM10/6/04
to
I like Mark are confused at how you are trying to do this.
Are you attempting to set this is a GPO of AD that is applied
onto the server, or to do this in the member's Local Security
Policy ? If via AD GPO you are using a GPO linked to an
OU (containing the servers) not to the domain (right?) and are
entering Administrators rather than selecting it with the GUI?
Also, are your members W2k or W2k3 ? With W2k3 you
can use the policy to disable the Administrator account to
make the built-in Administrator (however renamed) only of
use for a non-normal boot (recovery, safe mode, ...).
Also, if you have TS installed in admin mode on W2k, or you
have W2k3, you would want to remember to also take control
over use of a TS login by the account(s).
--
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCSE (W2k3,W2k,Nt4) MCDBA

"Harrison Blackwood" <Harrison...@discussions.microsoft.com> wrote in
message news:C469D2C1-EF33-4288...@microsoft.com...

Harrison Blackwood

unread,
Oct 6, 2004, 4:23:02 PM10/6/04
to
Roger,

Am following the Windows 2003 Server Security Guide. The page I am
refering to is p. 144 "Additional Security Settings". On p. 145 there are
instructions for manually adding security groups to the "Deny access to this
computer from the network."

There is talk in this section about adding the built-in admin to this
policy and that is what I am trying to do.

Regards,

Harrison

Harrison Blackwood

unread,
Oct 6, 2004, 5:31:06 PM10/6/04
to
Mark,

When I look for the member server, it is not listed.

Thank you,

Mike

0 new messages