• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 237
  • Last Modified:

Restricting domain users

I have a group of users in my Windows 2000 Server domain named COMPANY, who are experts enough to bother with all things.

At the beginning I had them as Domain Admins. Currently I restrict them to Domain Users. What I am actually looking is to give them access as if they were Domain Admins, but DENY them altering TCP/IP properties, gateways, joining other domains, and generally anything that has to do with altering the network thingies as well as registry.

Is there a way of allowing them everything apart from these, and how do I do it?

  • 3
  • 2
  • 2
  • +1
1 Solution

One simple answer, no there isn't.... If you add someone to the admins group and they need to do admin thingies, they will be able to change TCP/IP properties. Only way i can think of is to create a new user group and give them access to the things they need to have.. Maybe (and just maybe), you can add them to the domain admins group (the newly created group) and prevent them from changing these things by using GPO's...

Still, it will be stingy... You cannot give them all those rights and not the right to change TCP/IP settings..

    Remove them from the Domain admins group and add them to the power users group.

   If that doesn't help then GPO's is the only solution.

chandupcs gave you solid advice...

1. Create a new OU and move these elevated users into it.
2. remove them from Domain admins and add them to doamin power users
3. you can applie group policy to the new OU to futher lock down you problemed users.

1. create a new "company users" ou and move all domain user accounts to it.  DO NOT MOVE BUILT IN ACCOUNTS OR SERVICE ACCOUNTS.  Just the accounts you have created for employees.

2. then add a GPO to that OU locking the items required.

Cloud Class® Course: Microsoft Windows 7 Basic

This introductory course to Windows 7 environment will teach you about working with the Windows operating system. You will learn about basic functions including start menu; the desktop; managing files, folders, and libraries.

dinosaurusAuthor Commented:
Some comments:

1. I have no Power User Group in my Microsoft Win Server 2000
2. I am trying to access the Domain Controller Security Policy and the Domain Security Policy but I keep getting the message:

Failed to open the Group Policy object. You may not have the appropriate rights.
The specified domain either does not exist or could not be contacted.

I am trying to access these two shortcuts directly from the PDC, and I am the Administrator (I logged in as Administrator). Could this be happening because some service is not running?

3. What is the OU kelo501 is referring to?

If you have any suggestions for (2) I would be happy to increase the points.

dinosaurusAuthor Commented:
Did you quit trying for an answer????
Do you have one single domain or multiple domains?? And the machine your loging into, is this a DC or not?? Can you access all files within the server?? DO you see anything strange in event viewer (try restarting the server, normally services that don't start generate events within event viewer..
sorry I have been so very busy.....
I is not the points but thank you for the offer.

I still do not have time right now but we post something for you by mid night tonight.

Again sorry,
ok sorry this has taken so long...

first you do have a power users group.

go to the properties of one of your users, go to the member of tab, click add, click advance, select groups and then find now.  This will list all of your gorups.

it should be "domainname\power users"

2nd,  there is alot to setting up GPO correctly the only resone to do it is the return giving when there done.  I strongly recomend you get a book on 2000 AD.  I personal am a big fan of Microsoft press books, suck as the administrators companion.  But look on the web or at a store to find on that works for you.  You can also find alot of good information on Technet.

OK now if you find the power user group add it to all of your selected users and make sure you remove them from domain admin,  all so make sure they have not added themselves to the local machine addin group.  If thay have remove them.  Once that is done test and see if that is restrictive enough.  I do not belive it will be because power user is designed to allow for the installation of drivers and changing network setting.  Microsoft added a mobile user group in 2003 to somewhat address this gap.  But in 2000 all laptop users should be given Power user so they can install devices away from the office and change their setting to get on line at remote places.  

That being said we are back to Group Police objects.
here is where you should make your changes...  This is free advice...  I hav seen people cause alot of problems with GPO's so p[lease research them first.

Create a new OU and move your users into it.

Then click properties on the OU and go to Group policy tab.
create a new policy call "power user lock down" or what ever you want.
click edit
In the user setting.  This will be the bottom set.
select "local policy"
select "user rights assinment"
on the right side will be a large list of setting you can configure.

you can also use a the "administration" folder to look out addrtional stuff.

Now I do not have this to look at right now so it is from memory and may be off here and there but should get you close enought that you can figure it out.

LAST but very important.
set up a test ou and a test user.  Then test you GPO before you deploy it into production.

Good luck and I hope this helps.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 3
  • 2
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now