2

On a Windows Server 2003 / XP LAN, non admin domain users are able to manage the users and groups of the local computer including changing the Administrator password and make themselves Administrators of the local computer.

How is this possible and how can I prevent it?

rism
  • 301
  • 2
  • 12
  • 3
    Your users aren't local administration are they? – Dan Jan 19 '12 at 08:56
  • No. They aren't even local users. There is just Admin and Guest account for locals. – rism Jan 19 '12 at 09:29
  • 2
    That doesn't mean they're not local administrators - check the "Administrators" group on the machine. – Dan Jan 19 '12 at 09:31
  • O.k. now we are cooking. You are right the staff domain group has been assigned to Administrators group on the local machine. If you could tell me how to drop that using GPO in Answer then I will accept. Thanks. – rism Jan 19 '12 at 09:51
  • 2
    Rism, they're not assigned that role by default. It's not a case of knowing how to alter that setting, you should find where it's set and un-set it. If its already set in a GPO somewhere and you create another GPO to un-set it then you'll just have inconsistent results. – Rob Moir Jan 19 '12 at 10:05
  • Yes. Thanks Rob. I actually tried to clarify my comment about that but it had timed out. It must have already been set some where. I guess I'm asking in what section would that be. It's a tiny LAN with a default domain GPO and a single OU GPO so it should be to hard to find given a strong hint. Thx – rism Jan 19 '12 at 10:10

1 Answers1

3

Confirm that the staff aren't local administrators by checking the local Administrators group on the machine.

You should be able to remove these by creating a GPO which manipulates the local Administrators security group. This can be done using the "Restricted Groups" section in your GPO:

Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Restricted Groups

(NB: Be aware that this will effectively overwrite the Local Admin group so ensure you include anyone that's required to be a local administrator)

Or, if you've set up Group Policy Preferences, you could use that too for more flexibility.

Dan
  • 15,430
  • 1
  • 36
  • 67
  • Also, what Rob says, though I presumed that this had been done manually to be honest! – Dan Jan 19 '12 at 10:06
  • Thanks a lot. There's only a handful of clients so you may be right re: manual addition. I guess I can test this by removing from client and then logging in again? If the setting comes back it must have been set in GPO right? – rism Jan 19 '12 at 10:13
  • Reboot rather than log in, but yeah, that's a fairly sound theory. Or do a GPResult and go through. – Dan Jan 19 '12 at 10:20