What are the correct entries for Active Directory, Users (i.e. Domain Admins), Members and Security tab?

I'm sure this isn't a big deal to the experts out there, but it is a huge deal to me since I'm not sure how to proceed without messing up my entire network.

Im having permissions issues with a 2003 Server where the entries on the Members tab are different than those on the Security tab.  In the beginning this was an NT 4.0 network, and then a Windows 2000 Server domain before it was upgraded to a Windows 2003 domain 5 years or so ago.

For some reason there seems to be some remnants of the W2K domain intertwined in our network.  For example purposes Im going to exclude the exact name of the domain, so lets assume it was called company_nt when we had a Windows 2000 Server environment and it was changed to company.com when we went to a Windows 2003 Server environment.

As an example the Builtin Group called Administrators has the following entries:

Members tab:
Administrator      domain_name.com/Users
REMOTE1            domain_name/Computers
Dave W            domain_name.com/Users
Domain Admins      domain_name.com/Users
Enterprise Admin       domain_name.com/Users
John R            domain_name.com/Users
Keith B             domain_name.com/Users
Lynn Z            domain_name.com/Users
Rob                                    domain_name./Users


Member Of tab:
This tab is empty


Security tab:
Administrators (domain_nt\Administrators)
Authenticated Users
Cert Publishers (domain_nt\Cert Publishers)
Domain Admins (domain_nt\Domain Admins)
Enterprise Admins (domain_nt\Enterprise Admins)
Everyone
Exchange Enterprise Servers (domain_nt\Exchange Enterprise Servers)
Pre-Windows 2000 Compatible Access (domain_nt\Pre-Windows 2000 Compatible Access)
SELF
SYSTEM
Terminal Server License Servers (domain_nt\Terminal Server License Servers)
Windows Authorization Access Group (domain_nt\Windows Authorization Access Group)




So my question is this: what needs to be there, and what can I get rid of?  How do I determine what is necessary and what has been added due to lack of knowledge or understanding?

Im sure this sounds very convoluted to please ask me for clarification and Ill do the best that I can.

Thank you very much for any assistance you are able to provide.
johnrhinesNetwork AdministratorAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

AmericomCommented:
Assuming you're asking the builtin Administrators group for your domain, see below:
****************
Members tab:
Administrator      domain_name.com/Users (this is by default)
REMOTE1            domain_name/Computers (this is added, some applicaiton required the computer account be a member of the Administrators group but rarely used)
Dave W            domain_name.com/Users (this is added, not needed if a member of Domain Admins. But can be used to make himself a member of Domain Admins group if a member of this Administrators group)
Domain Admins      domain_name.com/Users (By default)
Enterprise Admin       domain_name.com/Users (By default)
John R            domain_name.com/Users (added, same as Dave W)
Keith B             domain_name.com/Users (added, same)
Lynn Z            domain_name.com/Users (added, same)
Rob                                    domain_name./Users (added, same)

Member Of tab:
This tab is empty (this is fine and is default)

Security tab:
Administrators (domain_nt\Administrators) (this is from your old domain, this one can be misleading as it can happen due to renaming your old domain, which is my guess, and it could also due to a trust of your old domain with this current domain. If your old domain doesn't exist, and everything seems to be working as is, then leave it. It could get very messy on the security tab when comes to permission as most of them have special permission as inhertiance etc.
Authenticated Users (by default)
Cert Publishers (domain_nt\Cert Publishers) (comment same as above for Administrators)
Domain Admins (domain_nt\Domain Admins) (comment same as above for Administrators)

Enterprise Admins (domain_nt\Enterprise Admins) (comment same as above for Administrators)
Everyone (By default)
Exchange Enterprise Servers (domain_nt\Exchange Enterprise Servers) (due to exchange config)
Pre-Windows 2000 Compatible Access (domain_nt\Pre-Windows 2000 Compatible Access) (comment same as above for Administrators)
SELF (by default)
SYSTEM (by default)
Terminal Server License Servers (domain_nt\Terminal Server License Servers) (comment same as above for Administrators)
Windows Authorization Access Group (domain_nt\Windows Authorization Access Group)(comment same as above for Administrators)

Note: The "(comment same as above for Administrators)" is more of by default other than the domainname is the old one instead of the new one.

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
johnrhinesNetwork AdministratorAuthor Commented:
The reason for wanting to remove entries from the security tab is due to permissions, group policies, default domain controller security settings, etc.  Something is not working properly in our domain.  The NT 4.0 and Windows 2000 Servers are no longer a part of our network and I'm trying to put all securities back to their defaults so I can begin to find out exactly where the problem is.  

We are a small company and it is okay for all of us (employees) to have administrator rights to everything. However we need to grant remote access to a user (guestp) so they can logon to a terminal server (remote) and run an application which will authenticate the User ID (guestp) and password against the domain.  While we need to authenticate the user (guestp) against the domain, we dont want the user (guestp) to have any access whatsoever outside the individual (remote) terminal server.

At this point in time we are able to logon locally to the terminal server (remote) successfully (by choosing REMOTE for Log on to: instead of the domain name) and receive a login window for the application (installed locally on REMOTE) but we are not able to authenticate against the domain.

So the question is: how can I authenticate against the domain but prevent them from doing anything on any other computer (pc or server) on the domain?

I appreciate any help you all are able to offer.
0
AmericomCommented:
You can try remove REMOTE from the domain and rejoint to the domain and see if that help.
As far as what display on the security tab with old domain name or not, it really shouldn't affect your application from authenticating domain users. The only security would have an impact is what's in the member tab. The security tab is only for who has what access to which AD object, nothing to do with resources on another computer.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Server OS

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.