Restricting domain users

Posted on 2004-10-10
Medium Priority
Last Modified: 2010-04-14
I have a group of users in my Windows 2000 Server domain named COMPANY, who are experts enough to bother with all things.

At the beginning I had them as Domain Admins. Currently I restrict them to Domain Users. What I am actually looking is to give them access as if they were Domain Admins, but DENY them altering TCP/IP properties, gateways, joining other domains, and generally anything that has to do with altering the network thingies as well as registry.

Is there a way of allowing them everything apart from these, and how do I do it?

Question by:dinosaurus
  • 3
  • 2
  • 2
  • +1
LVL 23

Expert Comment

ID: 12272203

One simple answer, no there isn't.... If you add someone to the admins group and they need to do admin thingies, they will be able to change TCP/IP properties. Only way i can think of is to create a new user group and give them access to the things they need to have.. Maybe (and just maybe), you can add them to the domain admins group (the newly created group) and prevent them from changing these things by using GPO's...

Still, it will be stingy... You cannot give them all those rights and not the right to change TCP/IP settings..

Expert Comment

ID: 12272278

    Remove them from the Domain admins group and add them to the power users group.

   If that doesn't help then GPO's is the only solution.


Expert Comment

ID: 12272924
chandupcs gave you solid advice...

1. Create a new OU and move these elevated users into it.
2. remove them from Domain admins and add them to doamin power users
3. you can applie group policy to the new OU to futher lock down you problemed users.

1. create a new "company users" ou and move all domain user accounts to it.  DO NOT MOVE BUILT IN ACCOUNTS OR SERVICE ACCOUNTS.  Just the accounts you have created for employees.

2. then add a GPO to that OU locking the items required.

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.


Author Comment

ID: 12300365
Some comments:

1. I have no Power User Group in my Microsoft Win Server 2000
2. I am trying to access the Domain Controller Security Policy and the Domain Security Policy but I keep getting the message:

Failed to open the Group Policy object. You may not have the appropriate rights.
The specified domain either does not exist or could not be contacted.

I am trying to access these two shortcuts directly from the PDC, and I am the Administrator (I logged in as Administrator). Could this be happening because some service is not running?

3. What is the OU kelo501 is referring to?

If you have any suggestions for (2) I would be happy to increase the points.


Author Comment

ID: 12562924
Did you quit trying for an answer????
LVL 23

Expert Comment

ID: 12582662
Do you have one single domain or multiple domains?? And the machine your loging into, is this a DC or not?? Can you access all files within the server?? DO you see anything strange in event viewer (try restarting the server, normally services that don't start generate events within event viewer..

Expert Comment

ID: 12583642
sorry I have been so very busy.....
I is not the points but thank you for the offer.

I still do not have time right now but we post something for you by mid night tonight.

Again sorry,

Accepted Solution

kelo501 earned 1400 total points
ID: 12600187
ok sorry this has taken so long...

first you do have a power users group.

go to the properties of one of your users, go to the member of tab, click add, click advance, select groups and then find now.  This will list all of your gorups.

it should be "domainname\power users"

2nd,  there is alot to setting up GPO correctly the only resone to do it is the return giving when there done.  I strongly recomend you get a book on 2000 AD.  I personal am a big fan of Microsoft press books, suck as the administrators companion.  But look on the web or at a store to find on that works for you.  You can also find alot of good information on Technet.

OK now if you find the power user group add it to all of your selected users and make sure you remove them from domain admin,  all so make sure they have not added themselves to the local machine addin group.  If thay have remove them.  Once that is done test and see if that is restrictive enough.  I do not belive it will be because power user is designed to allow for the installation of drivers and changing network setting.  Microsoft added a mobile user group in 2003 to somewhat address this gap.  But in 2000 all laptop users should be given Power user so they can install devices away from the office and change their setting to get on line at remote places.  

That being said we are back to Group Police objects.
here is where you should make your changes...  This is free advice...  I hav seen people cause alot of problems with GPO's so p[lease research them first.

Create a new OU and move your users into it.

Then click properties on the OU and go to Group policy tab.
create a new policy call "power user lock down" or what ever you want.
click edit
In the user setting.  This will be the bottom set.
select "local policy"
select "user rights assinment"
on the right side will be a large list of setting you can configure.

you can also use a the "administration" folder to look out addrtional stuff.

Now I do not have this to look at right now so it is from memory and may be off here and there but should get you close enought that you can figure it out.

LAST but very important.
set up a test ou and a test user.  Then test you GPO before you deploy it into production.

Good luck and I hope this helps.

Featured Post

Vote for the Most Valuable Expert

It’s time to recognize experts that go above and beyond with helpful solutions and engagement on site. Choose from the top experts in the Hall of Fame or on the right rail of your favorite topic page. Look for the blue “Nominate” button on their profile to vote.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
LinkedIn blogging is great for networking, building up an audience, and expanding your influence as well. However, if you want to achieve these results, you need to work really hard to make your post worth liking and sharing. Here are 4 tips that ca…
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…
Whether it be Exchange Server Crash Issues, Dirty Shutdown Errors or Failed to mount error, Stellar Phoenix Mailbox Exchange Recovery has always got your back. With the help of its easy to understand user interface and 3 simple steps recovery proced…
Suggested Courses
Course of the Month13 days, 12 hours left to enroll

755 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question