Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Unable to Properly Restrict User Privileges on Windows XP Pro

Posted on 2010-11-18
13
392 Views
Last Modified: 2012-05-10
We have a pretty simple setup. A Dell server running  Windows Server 2003 Standard Edition w/ SP2 and 3 Dell workstations all running Windows XP Pro SP3.

We recently had problems with malware attacks, so I went ahead and removed Administrator rights from the workstations.

However, one of the workstations still seems to be have administrator rights. If I go to this workstation and click on Users in the Control Panel, it shows this account as being a restricted "User" account, not Admin. Yet, I can still install programs and do pretty much anything I want under this account, so clearly the privileges are still at the Admin level for this account.

How can I properly restrict this workstation? Does this need to be done on the Server, the workstation, or both?
0
Comment
Question by:anuneznyc
  • 5
  • 4
  • 3
  • +1
13 Comments
 
LVL 11

Expert Comment

by:louisreeves
ID: 34170200
GPMC IS how rights can be controlled and policy is not a hard as they say.

http://www.microsoft.com/downloads/en/details.aspx?FamilyID=0a6d4c24-8cbd-4b35-9272-dd3cbfc81887&displaylang=en

you can google how to controll alot of thing using GPMC. Another way to go is with ISA server. These are nice tools but you want to know what you are doing when you use them

ISA SERVER IS good and this guy is all over the place with his ISA knowledge:

http://www.isaserver.org/tutorials/Configuring-ISA-Firewalls-ISA-2006-RC-Support-User-Certificate-Authentication-using-Constrained-Delegation-Part2.html
0
 
LVL 6

Expert Comment

by:thiagotietze
ID: 34170413
lol.... Just don't understood why that much information on the last comment...

It seems pretty simple:

1 - Which are the groups that this user becomes part? it is an Active directory user? Local user?
2 - The user is explicitely listed at the groups in the machine (administrative tools --> computer management)? At Active directory, the user are member of any group that have admin access to the machine?
3 - After changed permissions, the user were logged of?
0
 
LVL 66

Expert Comment

by:johnb6767
ID: 34170641
Assuming you have been through the AD side of things, I would rename the local profile, and have him log in again, and see if it remains......

Definately check for nested groups as well as the above references....
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 

Author Comment

by:anuneznyc
ID: 34220649
Thanks for the feedback guys. Sorry I was AWOL for over a week. I need to get back on this system this weekend to check out the settings.

How can I verify whether this particular account is local or on the AD? Is it possible to be both? If so, then how do I determine whether the rights are being controlled/set by the local machine or the AD?

Thanks.
0
 
LVL 6

Assisted Solution

by:thiagotietze
thiagotietze earned 150 total points
ID: 34222085
You can check the user by, (when logged at the account) run CMD, then type "set u"
It will show you some information about the user, and the user will be shown as:
DOMAINNAME\username or MACHINENAME\username

This can tell you the information..

And no, a computer, user account is a computer user account, and a domain user account is a Domain user account.
0
 

Author Comment

by:anuneznyc
ID: 34226857
Thanks for that, thiagotietze.
Running net u @ command prompt shows this user as being part of the domain, so that means the rights are controlled by the AD on the server.

On the server when I open up the AD, I see this user is part of a group called "Domain Admins" under an AD folder called domain.foo. net/Users.

I will take him out of this "Domain Admins" group.
0
 
LVL 66

Accepted Solution

by:
johnb6767 earned 250 total points
ID: 34244992
"Running net u @ command prompt shows this user as being part of the domain, so that means the rights are controlled by the AD on the server."

Not exactly... Depending on what LOCAL groups this user is a member of, dictates what rights the user has on the box. If they are not a member of the local Admins group, they cant install stuff... Now, with that said, if they are in a Domain Admin group, those rights can get filtered to the local box because the Domain Admins group is a member of the Local Admins group on the box.

Go to start>run>lusrmgr.msc, and look in the Admins group. Is this user listed as "username" or "domain\username"?

If it is just "username", is there also a user listed there under the Users category? If so, might be your problem.....

0
 

Author Comment

by:anuneznyc
ID: 34245484
Thanks johnb6767. Running lusrmgr.msc shows this particular user correctly in the 'Users' group and NOT in the 'Administrators' group. Which is exactly how I need it to be.

No trying to run devmgmt.msc results in a message that the user does not have sufficient rights to change device properties. So perfect! Now this user seems pretty locked down unless he logs in under a different admin account. So now if they get slammed by another malware attack, the damage should be minimal or even null.

Thanks for the good advice!
0
 
LVL 6

Expert Comment

by:thiagotietze
ID: 34247180
Yes, the above information is right too. The SET U is a command to quick know where your user reside.

If the user was a Domain Admin, this "Domain Group" was added to the Administrators "Local Group" in the machine (this is a default for windows), so, the problem were explained.

As a best practice, just add users to Domain Admins group, if it is a ADMIN-ONLY account.
Normally, Domain Admin accounts are not supposed to be logged on to Desktops everyday.
0
 
LVL 66

Expert Comment

by:johnb6767
ID: 34254752
"So now if they get slammed by another malware attack, the damage should be minimal or even null."

Good news and bad news with that.....

Viruses that write to protected areas of the system, yea youre fairly safe. But the majority of the rogues write to the user profile, which by default a limited user has 99% control over..... So it will be minimal  but not foolproof.....
0
 

Author Comment

by:anuneznyc
ID: 34268135
Good point JB. The problem has been that this user has (on 2 different occasions) managed to get infected w/ malware that hijacked his email address in Outlook 2003 and starting sending Spam messages by the thousands, to which the email hosting company would respond by blacklisting/locking his email address and then of course he couldn't send any messages at all.

That was a real nuisance, so I'm hoping the change in user rights will prevent this kind of attack?
0
 
LVL 66

Expert Comment

by:johnb6767
ID: 34271467
It should help quite a bit.. Just wont stop 100% of infections......

I would start looking at disciplinary actions myself.....

Wanna find out where he is going, for proof??

IEHistoryView
http://www.nirsoft.net/utils/iehv.html

MyLastSearch
http://www.nirsoft.net/utils/my_last_search.html

Can do it from your machine to get proof. When you present that to the employee, usually has a tendency to make them become a safer Web Surfer....  :)

0
 

Author Comment

by:anuneznyc
ID: 34272372
Good idea. Thanks.
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Security Overview Report 8 61
exchange, email gateway 2 50
save browser passwords 11 70
Non admin needs to install programs 17 66
Knowing where your website is hosted is as important as the features you receive, the monthly fee, and the support you receive. Due diligence should be done when choosing your next hosting provider.
This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question