Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 947
  • Last Modified:

userWorkstation Attrib

I have found an issue with several users. They are restricted to logging onto only certin comps. The first problem is that even when we switch them they switch back overnight. And the bigger issue is the only computers that they can log onto are the DC and exchange servers.I have traced it all to one AD subgroup. The parent subgroup does not have this issue. Is there a subgroup attrib that governs the user subgroup? I have tried manually replicating through all servers manually, I just cleared them through the attrib field but it will most likely have the same result. Is there also a GPO that governs this?
0
OSGangsta
Asked:
OSGangsta
1 Solution
 
Mike KlineCommented:
When you say they switch back overnight, if you switch them during the day do they clear back in approximately 60 minutes.  Where they ever in any protected/elevated groups.  I'm leaning towards adminsdholder

http://policelli.com/blog/?p=136
http://blogs.technet.com/b/askds/archive/2009/05/07/five-common-questions-about-adminsdholder-and-sdprop.aspx

Check the admincount attribute on those accounts

Thanks

Mike
0
 
Chev_PCNCommented:
You can govern logons via a GPO, and propagation of that GPO could be determined by OU, or by OU+group membership. You could try something like running RSOP on the user and PC accounts & that should clearly show what policies are being applied. Otherwise check which OU's the objects are in & what GPO's apply to those objects.
0
 
OSGangstaAuthor Commented:
Mike,
it is not set. And yes it does reset after a hour or so. Chev, I looked through ou's gp policy and I am not seeing anything that is affecting that setting.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
Mike KlineCommented:
if it is after an hour then it almost definitely points to adminsdholder go through those links and check the admincount attribute on the user too.
Thanks
 
Mike
0
 
OSGangstaAuthor Commented:
Well I feel really dumb saying this but I made a rookie mistake. I didn't pay attention to the fact that they had SBS server. Turns out they were going over on thier licenses by 30+ so it was locking the most recent addition out.

Thanks for your answers though.
0
 
Mike KlineCommented:
ahhh ok, at least you found it.  We all make mistakes...you are not alone :)
0
 
Darius GhassemCommented:
This question has been classified as abandoned and is being closed as part of the Cleanup Program.  See my comment at the end of the question for more details.
0

Featured Post

[Webinar] Database Backup and Recovery

Does your company store data on premises, off site, in the cloud, or a combination of these? If you answered “yes”, you need a data backup recovery plan that fits each and every platform. Watch now as as Percona teaches us how to build agile data backup recovery plan.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now