Link to home
Start Free TrialLog in
Avatar of johnrhines
johnrhinesFlag for United States of America

asked on

What are the correct entries for Active Directory, Users (i.e. Domain Admins), Members and Security tab?

I'm sure this isn't a big deal to the experts out there, but it is a huge deal to me since I'm not sure how to proceed without messing up my entire network.

Im having permissions issues with a 2003 Server where the entries on the Members tab are different than those on the Security tab.  In the beginning this was an NT 4.0 network, and then a Windows 2000 Server domain before it was upgraded to a Windows 2003 domain 5 years or so ago.

For some reason there seems to be some remnants of the W2K domain intertwined in our network.  For example purposes Im going to exclude the exact name of the domain, so lets assume it was called company_nt when we had a Windows 2000 Server environment and it was changed to company.com when we went to a Windows 2003 Server environment.

As an example the Builtin Group called Administrators has the following entries:

Members tab:
Administrator      domain_name.com/Users
REMOTE1            domain_name/Computers
Dave W            domain_name.com/Users
Domain Admins      domain_name.com/Users
Enterprise Admin       domain_name.com/Users
John R            domain_name.com/Users
Keith B             domain_name.com/Users
Lynn Z            domain_name.com/Users
Rob                                    domain_name./Users


Member Of tab:
This tab is empty


Security tab:
Administrators (domain_nt\Administrators)
Authenticated Users
Cert Publishers (domain_nt\Cert Publishers)
Domain Admins (domain_nt\Domain Admins)
Enterprise Admins (domain_nt\Enterprise Admins)
Everyone
Exchange Enterprise Servers (domain_nt\Exchange Enterprise Servers)
Pre-Windows 2000 Compatible Access (domain_nt\Pre-Windows 2000 Compatible Access)
SELF
SYSTEM
Terminal Server License Servers (domain_nt\Terminal Server License Servers)
Windows Authorization Access Group (domain_nt\Windows Authorization Access Group)




So my question is this: what needs to be there, and what can I get rid of?  How do I determine what is necessary and what has been added due to lack of knowledge or understanding?

Im sure this sounds very convoluted to please ask me for clarification and Ill do the best that I can.

Thank you very much for any assistance you are able to provide.
ASKER CERTIFIED SOLUTION
Avatar of Americom
Americom
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of johnrhines
johnrhines
Flag of United States of America image

ASKER

The reason for wanting to remove entries from the security tab is due to permissions, group policies, default domain controller security settings, etc.  Something is not working properly in our domain.  The NT 4.0 and Windows 2000 Servers are no longer a part of our network and I'm trying to put all securities back to their defaults so I can begin to find out exactly where the problem is.  

We are a small company and it is okay for all of us (employees) to have administrator rights to everything. However we need to grant remote access to a user (guestp) so they can logon to a terminal server (remote) and run an application which will authenticate the User ID (guestp) and password against the domain.  While we need to authenticate the user (guestp) against the domain, we dont want the user (guestp) to have any access whatsoever outside the individual (remote) terminal server.

At this point in time we are able to logon locally to the terminal server (remote) successfully (by choosing REMOTE for Log on to: instead of the domain name) and receive a login window for the application (installed locally on REMOTE) but we are not able to authenticate against the domain.

So the question is: how can I authenticate against the domain but prevent them from doing anything on any other computer (pc or server) on the domain?

I appreciate any help you all are able to offer.
Avatar of Americom
Americom
Flag of United States of America image
You can try remove REMOTE from the domain and rejoint to the domain and see if that help.
As far as what display on the security tab with old domain name or not, it really shouldn't affect your application from authenticating domain users. The only security would have an impact is what's in the member tab. The security tab is only for who has what access to which AD object, nothing to do with resources on another computer.