farmer9000
asked on
As an sys admin I need access to all computers.
I maintain a small Active Directory OU of some 500 to 600 machines. Most of these machines stay in place for about a year. The problem starts when new machines come in and are added to my OU. They come from many different locations and thus have been built by a variety of different peopel with a wide variety of different ideas on who should and should not have access to the local box. (Sorry for the long sentence..but... I must have the ability to monitor and modify these machines in order to insure that we have the highest level of security; updates; patches; and no and I do mean NO! unauthorized software and other stuff. (Tuff job, but someone...)
I am not a PC tech. I need a resource that can help me understand what some of these other guys have done to block me from getting to ..say, local users and groups; or deny "Remote Desktop Connection" or deny " Symantec to unto update". You get the picture. Can anyone help be get started on this. I would like an answer that involves the use of AD GPO's, then when they go away, they can have their machine back.
I have been althrough the local Group Policies and can not find anything that looks suspect.
Thanks, Rick
I am not a PC tech. I need a resource that can help me understand what some of these other guys have done to block me from getting to ..say, local users and groups; or deny "Remote Desktop Connection" or deny " Symantec to unto update". You get the picture. Can anyone help be get started on this. I would like an answer that involves the use of AD GPO's, then when they go away, they can have their machine back.
I have been althrough the local Group Policies and can not find anything that looks suspect.
Thanks, Rick
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
GP's take precedance over local poicies: http://www.securitydocs.com/library/3198/2
First, the local GPO applies. Although this GPO resides directly on the computer that it will configure, it has the least priority when compared with the other AD GPOs.
http://www.microsoft.com/technet/prodtechnol/windows2000serv/maintain/operate/04w2kada.mspx
You may need to make a GPO that re-adds the domain admin's to the local admin group of the machines I suppose.
-rich
First, the local GPO applies. Although this GPO resides directly on the computer that it will configure, it has the least priority when compared with the other AD GPOs.
http://www.microsoft.com/technet/prodtechnol/windows2000serv/maintain/operate/04w2kada.mspx
You may need to make a GPO that re-adds the domain admin's to the local admin group of the machines I suppose.
-rich
ASKER
I was hoping someone would come up with a scrit that would reset all the local policies to a default setting with minimum security. I have enough network security to not be concerned about local settings.