| Author | Messages | |
kevingay
Posts:5
 | | 03/27/2009 11:09 AM |
| Can only be done with 2 accounts. Basically they keep their regular account.
Then you make a regular domain account then grant it access in AD up to what
it needs. Then apply a policy to block it from being able to log onto
anything but the domain controller. However I'm unsure if the policy to
block logons is "deep" enough to block the "runas" feature. It would have to
be researched. The only other option is for the regular account to be
blocked from the runas.exe. Although I'm not sure if that blocks the gui
runas, i.e. shift right-click. And if that user has more than 2 accounts.
Catch is all accounts that user has would need to have the runas blocked.
Also the "admin" account would need to be denied remote logon if you always
want them physically at the console each time they need to work on it.
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Carol M. Chisholm
Sent: Friday, March 27, 2009 2:25 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] OT: can't edit GPO or edit in other RSAT tools -
permissions problem?
Since it was not the computer account I created a new domain admin account,
which solved the problem.
Now there is just the question of what one does to a domain admin account so
it can only do admin tasks on the DC, not from a workstation?
Carol
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Carol M. Chisholm
Sent: 25 March 2009 16:06
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] OT: can't edit GPO or edit in other RSAT tools -
permissions problem?
Ah that's perhaps the problem:
Logged into the DC I can see this:
Domain admins has Link GPOs for "This container only" on the domain.
My admin account, which is a domain admin account has "This Container and
all child objects"
Enterprise Admins (I am also an Enterprise Admin) has "This Container and
all child objects"
Further down the tree, the Default Domain Policy, and all the other Group
Policy Objects, domain admins have "Edit settings, delete, modify security",
but my particular account is not mentioned.
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Darren Mar-Elia
Sent: 25 March 2009 15:59
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] OT: can't edit GPO or edit in other RSAT tools -
permissions problem?
Carol-
Can you verify that Domain Admins truly has the proper rights on GPOs? Can
you view the security on a particular GPO and look at what it says under the
Delegation tab in GPMC?
Darren
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Carol M. Chisholm
Sent: Wednesday, March 25, 2009 7:48 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] OT: can't edit GPO or edit in other RSAT tools -
permissions problem?
I have taken my workstation out of the domain, deleted its account, waited
15 minutes and re-joined it.
No errors during the process.
I still have all the "edit" options greyed out. (Edit, New, Create a GPO,
Link a GPO, Block Inheritance..)
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Carol M. Chisholm
Sent: 25 March 2009 15:09
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] OT: can't edit GPO or edit in other RSAT tools -
permissions problem?
I only joined the domain last week, I can try re-joining it.
Another of the RSAT tools is DNS editor; I can view the DNS settings on the
DC but not edit them.
It looks like permissions thing.
The machine is getting updated by the group policy, gpupdate generated no
errors.
My domain logon seems valid, but I will take myself out of the domain and
back in again.
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Darren Mar-Elia
Sent: 25 March 2009 15:05
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] OT: can't edit GPO or edit in other RSAT tools -
permissions problem?
Carol-
Based on your description, are you sure that your machine account is still
good with the domain? Does other domain-based authentication work? Also, not
sure what you mean by you can't edit your DNS? Do you mean your DNS server
or the DNS config. on your client?
Darren
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Carol M. Chisholm
Sent: Tuesday, March 24, 2009 11:22 PM
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] OT: can't edit GPO or edit in other RSAT tools -
permissions problem?
Windows 2003 R2 DC, in a domain that once was managed by SBS.
I'm working remotely from a Vista SP1 workstation in the domain, logged in
as a domain admin.
I am off site working through a firewall-firewall VPN.
I have my RSAT tools (Group Policy Management console and so on) and I can
run them as administrator, but even then I cannot edit anything.
I cannot edit my DNS either.
If I log onto the server with the same account I can change all these
things.
I have checked my user (elevated command prompt and whoami). I have write
access to the admin shares on the DC.
Carol Chisholm
| | | |
|
|