Group policy tatooing with restricted group ? or strange behaviour !

Giganews Newsgroups
Subject: Group policy tatooing with restricted group ? or strange behaviour !
Posted by:  Eric (Eric_m@nospam.hotmail.com)
Date: Wed, 08 Jul 2009

Hello,

we have Windows 2000/Xp clients in our Active Directory.

Configuration 1 --> We had a GPO applied on computers that defined a
restricted group for BUILTIN\Administrators. (So, if a user wanted to
add himself to his local administrators group,his user account was
automatically removed from this group).

Configuration 2 --> During three months, we have changed this GPO and
the restricted group was defined witht the "member of" parameter so a
user was able to add himself to the local admin group.

Configuration 3 (= configuration 1) --> Then, as some of the users knew
the local admin password and have added without autorization to the
local admin group, we have configured the restricted group as before
(and so users are removed from the local admin group).

now the problem ...

If a user power on his computer with the network disabled or if the GPO
is not applied for any reason), the local admin group is identical to
what is was during the "configuration 2" and so some users are local
admin ...

Is it normal ?

Thank you

--
Eric

Replies