Unable to Properly Restrict User Privileges on Windows XP Pro
We have a pretty simple setup. A Dell server running Windows Server 2003 Standard Edition w/ SP2 and 3 Dell workstations all running Windows XP Pro SP3.
We recently had problems with malware attacks, so I went ahead and removed Administrator rights from the workstations.
However, one of the workstations still seems to be have administrator rights. If I go to this workstation and click on Users in the Control Panel, it shows this account as being a restricted "User" account, not Admin. Yet, I can still install programs and do pretty much anything I want under this account, so clearly the privileges are still at the Admin level for this account.
How can I properly restrict this workstation? Does this need to be done on the Server, the workstation, or both?
We recently had problems with malware attacks, so I went ahead and removed Administrator rights from the workstations.
However, one of the workstations still seems to be have administrator rights. If I go to this workstation and click on Users in the Control Panel, it shows this account as being a restricted "User" account, not Admin. Yet, I can still install programs and do pretty much anything I want under this account, so clearly the privileges are still at the Admin level for this account.
How can I properly restrict this workstation? Does this need to be done on the Server, the workstation, or both?
lol.... Just don't understood why that much information on the last comment...
It seems pretty simple:
1 - Which are the groups that this user becomes part? it is an Active directory user? Local user?
2 - The user is explicitely listed at the groups in the machine (administrative tools --> computer management)? At Active directory, the user are member of any group that have admin access to the machine?
3 - After changed permissions, the user were logged of?
It seems pretty simple:
1 - Which are the groups that this user becomes part? it is an Active directory user? Local user?
2 - The user is explicitely listed at the groups in the machine (administrative tools --> computer management)? At Active directory, the user are member of any group that have admin access to the machine?
3 - After changed permissions, the user were logged of?
Assuming you have been through the AD side of things, I would rename the local profile, and have him log in again, and see if it remains......
Definately check for nested groups as well as the above references....
Definately check for nested groups as well as the above references....
ASKER
Thanks for the feedback guys. Sorry I was AWOL for over a week. I need to get back on this system this weekend to check out the settings.
How can I verify whether this particular account is local or on the AD? Is it possible to be both? If so, then how do I determine whether the rights are being controlled/set by the local machine or the AD?
Thanks.
How can I verify whether this particular account is local or on the AD? Is it possible to be both? If so, then how do I determine whether the rights are being controlled/set by the local machine or the AD?
Thanks.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for that, thiagotietze.
Running net u @ command prompt shows this user as being part of the domain, so that means the rights are controlled by the AD on the server.
On the server when I open up the AD, I see this user is part of a group called "Domain Admins" under an AD folder called domain.foo. net/Users.
I will take him out of this "Domain Admins" group.
Running net u @ command prompt shows this user as being part of the domain, so that means the rights are controlled by the AD on the server.
On the server when I open up the AD, I see this user is part of a group called "Domain Admins" under an AD folder called domain.foo. net/Users.
I will take him out of this "Domain Admins" group.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks johnb6767. Running lusrmgr.msc shows this particular user correctly in the 'Users' group and NOT in the 'Administrators' group. Which is exactly how I need it to be.
No trying to run devmgmt.msc results in a message that the user does not have sufficient rights to change device properties. So perfect! Now this user seems pretty locked down unless he logs in under a different admin account. So now if they get slammed by another malware attack, the damage should be minimal or even null.
Thanks for the good advice!
No trying to run devmgmt.msc results in a message that the user does not have sufficient rights to change device properties. So perfect! Now this user seems pretty locked down unless he logs in under a different admin account. So now if they get slammed by another malware attack, the damage should be minimal or even null.
Thanks for the good advice!
Yes, the above information is right too. The SET U is a command to quick know where your user reside.
If the user was a Domain Admin, this "Domain Group" was added to the Administrators "Local Group" in the machine (this is a default for windows), so, the problem were explained.
As a best practice, just add users to Domain Admins group, if it is a ADMIN-ONLY account.
Normally, Domain Admin accounts are not supposed to be logged on to Desktops everyday.
If the user was a Domain Admin, this "Domain Group" was added to the Administrators "Local Group" in the machine (this is a default for windows), so, the problem were explained.
As a best practice, just add users to Domain Admins group, if it is a ADMIN-ONLY account.
Normally, Domain Admin accounts are not supposed to be logged on to Desktops everyday.
"So now if they get slammed by another malware attack, the damage should be minimal or even null."
Good news and bad news with that.....
Viruses that write to protected areas of the system, yea youre fairly safe. But the majority of the rogues write to the user profile, which by default a limited user has 99% control over..... So it will be minimal but not foolproof.....
Good news and bad news with that.....
Viruses that write to protected areas of the system, yea youre fairly safe. But the majority of the rogues write to the user profile, which by default a limited user has 99% control over..... So it will be minimal but not foolproof.....
ASKER
Good point JB. The problem has been that this user has (on 2 different occasions) managed to get infected w/ malware that hijacked his email address in Outlook 2003 and starting sending Spam messages by the thousands, to which the email hosting company would respond by blacklisting/locking his email address and then of course he couldn't send any messages at all.
That was a real nuisance, so I'm hoping the change in user rights will prevent this kind of attack?
That was a real nuisance, so I'm hoping the change in user rights will prevent this kind of attack?
It should help quite a bit.. Just wont stop 100% of infections......
I would start looking at disciplinary actions myself.....
Wanna find out where he is going, for proof??
IEHistoryView
http://www.nirsoft.net/utils/iehv.html
MyLastSearch
http://www.nirsoft.net/utils/my_last_search.html
Can do it from your machine to get proof. When you present that to the employee, usually has a tendency to make them become a safer Web Surfer.... :)
I would start looking at disciplinary actions myself.....
Wanna find out where he is going, for proof??
IEHistoryView
http://www.nirsoft.net/utils/iehv.html
MyLastSearch
http://www.nirsoft.net/utils/my_last_search.html
Can do it from your machine to get proof. When you present that to the employee, usually has a tendency to make them become a safer Web Surfer.... :)
ASKER
Good idea. Thanks.
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=0a6d4c24-8cbd-4b35-9272-dd3cbfc81887&displaylang=en
you can google how to controll alot of thing using GPMC. Another way to go is with ISA server. These are nice tools but you want to know what you are doing when you use them
ISA SERVER IS good and this guy is all over the place with his ISA knowledge:
http://www.isaserver.org/tutorials/Configuring-ISA-Firewalls-ISA-2006-RC-Support-User-Certificate-Authentication-using-Constrained-Delegation-Part2.html