What are the correct entries for Active Directory, Users (i.e. Domain Admins), Members and Security tab?

johnrhines used Ask the Experts™
I'm sure this isn't a big deal to the experts out there, but it is a huge deal to me since I'm not sure how to proceed without messing up my entire network.

Im having permissions issues with a 2003 Server where the entries on the Members tab are different than those on the Security tab.  In the beginning this was an NT 4.0 network, and then a Windows 2000 Server domain before it was upgraded to a Windows 2003 domain 5 years or so ago.

For some reason there seems to be some remnants of the W2K domain intertwined in our network.  For example purposes Im going to exclude the exact name of the domain, so lets assume it was called company_nt when we had a Windows 2000 Server environment and it was changed to company.com when we went to a Windows 2003 Server environment.

As an example the Builtin Group called Administrators has the following entries:

Members tab:
Administrator      domain_name.com/Users
REMOTE1            domain_name/Computers
Dave W            domain_name.com/Users
Domain Admins      domain_name.com/Users
Enterprise Admin       domain_name.com/Users
John R            domain_name.com/Users
Keith B             domain_name.com/Users
Lynn Z            domain_name.com/Users
Rob                                    domain_name./Users

Member Of tab:
This tab is empty

Security tab:
Administrators (domain_nt\Administrators)
Authenticated Users
Cert Publishers (domain_nt\Cert Publishers)
Domain Admins (domain_nt\Domain Admins)
Enterprise Admins (domain_nt\Enterprise Admins)
Exchange Enterprise Servers (domain_nt\Exchange Enterprise Servers)
Pre-Windows 2000 Compatible Access (domain_nt\Pre-Windows 2000 Compatible Access)
Terminal Server License Servers (domain_nt\Terminal Server License Servers)
Windows Authorization Access Group (domain_nt\Windows Authorization Access Group)

So my question is this: what needs to be there, and what can I get rid of?  How do I determine what is necessary and what has been added due to lack of knowledge or understanding?

Im sure this sounds very convoluted to please ask me for clarification and Ill do the best that I can.

Thank you very much for any assistance you are able to provide.
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Assuming you're asking the builtin Administrators group for your domain, see below:
Members tab:
Administrator      domain_name.com/Users (this is by default)
REMOTE1            domain_name/Computers (this is added, some applicaiton required the computer account be a member of the Administrators group but rarely used)
Dave W            domain_name.com/Users (this is added, not needed if a member of Domain Admins. But can be used to make himself a member of Domain Admins group if a member of this Administrators group)
Domain Admins      domain_name.com/Users (By default)
Enterprise Admin       domain_name.com/Users (By default)
John R            domain_name.com/Users (added, same as Dave W)
Keith B             domain_name.com/Users (added, same)
Lynn Z            domain_name.com/Users (added, same)
Rob                                    domain_name./Users (added, same)

Member Of tab:
This tab is empty (this is fine and is default)

Security tab:
Administrators (domain_nt\Administrators) (this is from your old domain, this one can be misleading as it can happen due to renaming your old domain, which is my guess, and it could also due to a trust of your old domain with this current domain. If your old domain doesn't exist, and everything seems to be working as is, then leave it. It could get very messy on the security tab when comes to permission as most of them have special permission as inhertiance etc.
Authenticated Users (by default)
Cert Publishers (domain_nt\Cert Publishers) (comment same as above for Administrators)
Domain Admins (domain_nt\Domain Admins) (comment same as above for Administrators)

Enterprise Admins (domain_nt\Enterprise Admins) (comment same as above for Administrators)
Everyone (By default)
Exchange Enterprise Servers (domain_nt\Exchange Enterprise Servers) (due to exchange config)
Pre-Windows 2000 Compatible Access (domain_nt\Pre-Windows 2000 Compatible Access) (comment same as above for Administrators)
SELF (by default)
SYSTEM (by default)
Terminal Server License Servers (domain_nt\Terminal Server License Servers) (comment same as above for Administrators)
Windows Authorization Access Group (domain_nt\Windows Authorization Access Group)(comment same as above for Administrators)

Note: The "(comment same as above for Administrators)" is more of by default other than the domainname is the old one instead of the new one.

johnrhinesNetwork Administrator


The reason for wanting to remove entries from the security tab is due to permissions, group policies, default domain controller security settings, etc.  Something is not working properly in our domain.  The NT 4.0 and Windows 2000 Servers are no longer a part of our network and I'm trying to put all securities back to their defaults so I can begin to find out exactly where the problem is.  

We are a small company and it is okay for all of us (employees) to have administrator rights to everything. However we need to grant remote access to a user (guestp) so they can logon to a terminal server (remote) and run an application which will authenticate the User ID (guestp) and password against the domain.  While we need to authenticate the user (guestp) against the domain, we dont want the user (guestp) to have any access whatsoever outside the individual (remote) terminal server.

At this point in time we are able to logon locally to the terminal server (remote) successfully (by choosing REMOTE for Log on to: instead of the domain name) and receive a login window for the application (installed locally on REMOTE) but we are not able to authenticate against the domain.

So the question is: how can I authenticate against the domain but prevent them from doing anything on any other computer (pc or server) on the domain?

I appreciate any help you all are able to offer.

You can try remove REMOTE from the domain and rejoint to the domain and see if that help.
As far as what display on the security tab with old domain name or not, it really shouldn't affect your application from authenticating domain users. The only security would have an impact is what's in the member tab. The security tab is only for who has what access to which AD object, nothing to do with resources on another computer.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial