|
|
 FAQ
 Search
 Memberlist
 Usergroups
 Register
 Profile
 Private messages
 Log in
|
|
| Author |
Message |
Björn Johansson
Guest
|
 Posted: Sun May 14, 2006 4:35 am Post subject: Thoughts around GPO for disabling local administrator only |
 |
|
Hello,
DC's: 2003 SP1
Servers: 2000 and 2003
Clients: 2000
I would like to through Group Policy disable all LOCAL administrator
accounts on clients, but leave the domain\administrator intact. This because
I suspect that the password has been compromised and I now use a Restricted
Groups with segmented admins.
I've searched and tested myself without any luck. This is what I tried:
1. Administrator Account Status - also disables domain\administrator, I need
that account enabled because we are using a lock out policy (cannot be
changed). If I create another admin account an attacker can lock me out from
the domain, domain\administrator can't be locked out.
2. Deny Logon Locally - is not working, I cannot add just user
administrator, get follwing: "You cannot deny all users or administrator(s)
from logging on locally"
Any other thoughts or solutions?
Thanks,
Björn Johansson
System Technician |
|
| Back to top |
|
 |
|
|
neo [mvp outlook]
Guest
|
| Posted: Sun May 14, 2006 5:50 pm Post subject: Re: Thoughts around GPO for disabling local administrator on |
|
|
In your tests, where did you attach this new Group Policy object to disable
the local administrator account? The reason that I ask is that I can see it
not working if attaching at site or domainDNS level, but it should work if
applying to the built-in "computers" container or any OU that contains the
member workstation/servers but not domain controllers.
"Björn Johansson" <BjrnJohansson@discussions.microsoft.com> wrote in message
news:14F558EA-EFF1-405E-9289-07E7CD955B09@microsoft.com...
| Quote: | Hello,
DC's: 2003 SP1
Servers: 2000 and 2003
Clients: 2000
I would like to through Group Policy disable all LOCAL administrator
accounts on clients, but leave the domain\administrator intact. This
because
I suspect that the password has been compromised and I now use a
Restricted
Groups with segmented admins.
I've searched and tested myself without any luck. This is what I tried:
1. Administrator Account Status - also disables domain\administrator, I
need
that account enabled because we are using a lock out policy (cannot be
changed). If I create another admin account an attacker can lock me out
from
the domain, domain\administrator can't be locked out.
2. Deny Logon Locally - is not working, I cannot add just user
administrator, get follwing: "You cannot deny all users or
administrator(s)
from logging on locally"
Any other thoughts or solutions?
Thanks,
Björn Johansson
System Technician
|
|
|
| Back to top |
|
|
Björn Johansson
Guest
|
| Posted: Sun May 14, 2006 11:46 pm Post subject: Re: Thoughts around GPO for disabling local administrator on |
|
|
Hello,
I tested in my home lab and it seems like you are right. Hopefully I get the
same result at work tomorrow! 
Thank you
BR
Björn
"neo [mvp outlook]" wrote:
| Quote: | In your tests, where did you attach this new Group Policy object to disable
the local administrator account? The reason that I ask is that I can see it
not working if attaching at site or domainDNS level, but it should work if
applying to the built-in "computers" container or any OU that contains the
member workstation/servers but not domain controllers. |
|
|
| Back to top |
|
|
Jorge Silva
Guest
|
| Posted: Mon May 15, 2006 10:18 pm Post subject: Re: Thoughts around GPO for disabling local administrator on |
|
|
Hi
Assuming that your DCs are in the Domain Controllers OU:
1 - Disable the Administrator account at Domain policy level (Default Domain
Policy).
Computer configuration -> Windows Settings -> Security Settings -> Security
Options -> Accounts: Administrator account Status = Disabled.
2 - Create a conflict policy in the Domain Controller OU (Default Domain
Controllers Policy)
Computer configuration -> Windows Settings -> Security Settings -> Security
Options -> Accounts: Administrator account Status = Enabled.
That should be enough
--
I hop that helps
Good Luck
Jorge Silva
MCSA
Systems Administrator |
|
| Back to top |
|
|
|
|
