johnrhines
asked on
What are the correct entries for Active Directory, Users (i.e. Domain Admins), Members and Security tab?
I'm sure this isn't a big deal to the experts out there, but it is a huge deal to me since I'm not sure how to proceed without messing up my entire network.
Im having permissions issues with a 2003 Server where the entries on the Members tab are different than those on the Security tab. In the beginning this was an NT 4.0 network, and then a Windows 2000 Server domain before it was upgraded to a Windows 2003 domain 5 years or so ago.
For some reason there seems to be some remnants of the W2K domain intertwined in our network. For example purposes Im going to exclude the exact name of the domain, so lets assume it was called company_nt when we had a Windows 2000 Server environment and it was changed to company.com when we went to a Windows 2003 Server environment.
As an example the Builtin Group called Administrators has the following entries:
Members tab:
Administrator domain_name.com/Users
REMOTE1 domain_name/Computers
Dave W domain_name.com/Users
Domain Admins domain_name.com/Users
Enterprise Admin domain_name.com/Users
John R domain_name.com/Users
Keith B domain_name.com/Users
Lynn Z domain_name.com/Users
Rob domain_name./Users
Member Of tab:
This tab is empty
Security tab:
Administrators (domain_nt\Administrators)
Authenticated Users
Cert Publishers (domain_nt\Cert Publishers)
Domain Admins (domain_nt\Domain Admins)
Enterprise Admins (domain_nt\Enterprise Admins)
Everyone
Exchange Enterprise Servers (domain_nt\Exchange Enterprise Servers)
Pre-Windows 2000 Compatible Access (domain_nt\Pre-Windows 2000 Compatible Access)
SELF
SYSTEM
Terminal Server License Servers (domain_nt\Terminal Server License Servers)
Windows Authorization Access Group (domain_nt\Windows Authorization Access Group)
So my question is this: what needs to be there, and what can I get rid of? How do I determine what is necessary and what has been added due to lack of knowledge or understanding?
Im sure this sounds very convoluted to please ask me for clarification and Ill do the best that I can.
Thank you very much for any assistance you are able to provide.
Im having permissions issues with a 2003 Server where the entries on the Members tab are different than those on the Security tab. In the beginning this was an NT 4.0 network, and then a Windows 2000 Server domain before it was upgraded to a Windows 2003 domain 5 years or so ago.
For some reason there seems to be some remnants of the W2K domain intertwined in our network. For example purposes Im going to exclude the exact name of the domain, so lets assume it was called company_nt when we had a Windows 2000 Server environment and it was changed to company.com when we went to a Windows 2003 Server environment.
As an example the Builtin Group called Administrators has the following entries:
Members tab:
Administrator domain_name.com/Users
REMOTE1 domain_name/Computers
Dave W domain_name.com/Users
Domain Admins domain_name.com/Users
Enterprise Admin domain_name.com/Users
John R domain_name.com/Users
Keith B domain_name.com/Users
Lynn Z domain_name.com/Users
Rob domain_name./Users
Member Of tab:
This tab is empty
Security tab:
Administrators (domain_nt\Administrators)
Authenticated Users
Cert Publishers (domain_nt\Cert Publishers)
Domain Admins (domain_nt\Domain Admins)
Enterprise Admins (domain_nt\Enterprise Admins)
Everyone
Exchange Enterprise Servers (domain_nt\Exchange Enterprise Servers)
Pre-Windows 2000 Compatible Access (domain_nt\Pre-Windows 2000 Compatible Access)
SELF
SYSTEM
Terminal Server License Servers (domain_nt\Terminal Server License Servers)
Windows Authorization Access Group (domain_nt\Windows Authorization Access Group)
So my question is this: what needs to be there, and what can I get rid of? How do I determine what is necessary and what has been added due to lack of knowledge or understanding?
Im sure this sounds very convoluted to please ask me for clarification and Ill do the best that I can.
Thank you very much for any assistance you are able to provide.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You can try remove REMOTE from the domain and rejoint to the domain and see if that help.
As far as what display on the security tab with old domain name or not, it really shouldn't affect your application from authenticating domain users. The only security would have an impact is what's in the member tab. The security tab is only for who has what access to which AD object, nothing to do with resources on another computer.
As far as what display on the security tab with old domain name or not, it really shouldn't affect your application from authenticating domain users. The only security would have an impact is what's in the member tab. The security tab is only for who has what access to which AD object, nothing to do with resources on another computer.
ASKER
We are a small company and it is okay for all of us (employees) to have administrator rights to everything. However we need to grant remote access to a user (guestp) so they can logon to a terminal server (remote) and run an application which will authenticate the User ID (guestp) and password against the domain. While we need to authenticate the user (guestp) against the domain, we dont want the user (guestp) to have any access whatsoever outside the individual (remote) terminal server.
At this point in time we are able to logon locally to the terminal server (remote) successfully (by choosing REMOTE for Log on to: instead of the domain name) and receive a login window for the application (installed locally on REMOTE) but we are not able to authenticate against the domain.
So the question is: how can I authenticate against the domain but prevent them from doing anything on any other computer (pc or server) on the domain?
I appreciate any help you all are able to offer.