"Everyone" can add or remove themselves from Domain Administrator account whenever they want to

I am running a mixed mode network and I currently have 2 W2k AD DC and 1 WINNT PDC. I am only running 4 limited Group Policies and none of these effect security. I notice that the Everyone group has the ability to Add/Remove themselves from the Domain Administrator account. I have explicitly denied this and within a short time (maybe through replication or policy refresh) it returns as Approved. This is a major security fault please help. I am not sure if there is a default setting I am unaware of. On another side note I experienced the "The Local Policy of the system does not permit you to logon interactively" I used the ntrights.exe and was able to get back in but have since had this happen again. Looking through my GPO I do not see anything that would make this happen. I listed this because I am hoping they are somehow related. Any help would be appreciated.
fabresAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

luv2smileCommented:
"The Local Policy of the system does not permit you to logon interactively"

For this error you have to give the user rights in the local security policy on the client.

gpedit.msc

computer config- windows settings- security- local policies- user rights assignment- log on locally
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
luv2smileCommented:
I assume you mean that users are able to add themselves to the domain admin group?

Go into active directory users and computers- users- then click on the domain admin group

The members tab will list the members and the security tab will list who has rights to this group. You need to remove the everyone group from this security tab.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 2000

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.