• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 408
  • Last Modified:

Unable to Properly Restrict User Privileges on Windows XP Pro

We have a pretty simple setup. A Dell server running  Windows Server 2003 Standard Edition w/ SP2 and 3 Dell workstations all running Windows XP Pro SP3.

We recently had problems with malware attacks, so I went ahead and removed Administrator rights from the workstations.

However, one of the workstations still seems to be have administrator rights. If I go to this workstation and click on Users in the Control Panel, it shows this account as being a restricted "User" account, not Admin. Yet, I can still install programs and do pretty much anything I want under this account, so clearly the privileges are still at the Admin level for this account.

How can I properly restrict this workstation? Does this need to be done on the Server, the workstation, or both?
0
anuneznyc
Asked:
anuneznyc
  • 5
  • 4
  • 3
  • +1
2 Solutions
 
louisreevesCommented:
GPMC IS how rights can be controlled and policy is not a hard as they say.

http://www.microsoft.com/downloads/en/details.aspx?FamilyID=0a6d4c24-8cbd-4b35-9272-dd3cbfc81887&displaylang=en

you can google how to controll alot of thing using GPMC. Another way to go is with ISA server. These are nice tools but you want to know what you are doing when you use them

ISA SERVER IS good and this guy is all over the place with his ISA knowledge:

http://www.isaserver.org/tutorials/Configuring-ISA-Firewalls-ISA-2006-RC-Support-User-Certificate-Authentication-using-Constrained-Delegation-Part2.html
0
 
thiagotietzeCommented:
lol.... Just don't understood why that much information on the last comment...

It seems pretty simple:

1 - Which are the groups that this user becomes part? it is an Active directory user? Local user?
2 - The user is explicitely listed at the groups in the machine (administrative tools --> computer management)? At Active directory, the user are member of any group that have admin access to the machine?
3 - After changed permissions, the user were logged of?
0
 
johnb6767Commented:
Assuming you have been through the AD side of things, I would rename the local profile, and have him log in again, and see if it remains......

Definately check for nested groups as well as the above references....
0
Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

 
anuneznycAuthor Commented:
Thanks for the feedback guys. Sorry I was AWOL for over a week. I need to get back on this system this weekend to check out the settings.

How can I verify whether this particular account is local or on the AD? Is it possible to be both? If so, then how do I determine whether the rights are being controlled/set by the local machine or the AD?

Thanks.
0
 
thiagotietzeCommented:
You can check the user by, (when logged at the account) run CMD, then type "set u"
It will show you some information about the user, and the user will be shown as:
DOMAINNAME\username or MACHINENAME\username

This can tell you the information..

And no, a computer, user account is a computer user account, and a domain user account is a Domain user account.
0
 
anuneznycAuthor Commented:
Thanks for that, thiagotietze.
Running net u @ command prompt shows this user as being part of the domain, so that means the rights are controlled by the AD on the server.

On the server when I open up the AD, I see this user is part of a group called "Domain Admins" under an AD folder called domain.foo. net/Users.

I will take him out of this "Domain Admins" group.
0
 
johnb6767Commented:
"Running net u @ command prompt shows this user as being part of the domain, so that means the rights are controlled by the AD on the server."

Not exactly... Depending on what LOCAL groups this user is a member of, dictates what rights the user has on the box. If they are not a member of the local Admins group, they cant install stuff... Now, with that said, if they are in a Domain Admin group, those rights can get filtered to the local box because the Domain Admins group is a member of the Local Admins group on the box.

Go to start>run>lusrmgr.msc, and look in the Admins group. Is this user listed as "username" or "domain\username"?

If it is just "username", is there also a user listed there under the Users category? If so, might be your problem.....

0
 
anuneznycAuthor Commented:
Thanks johnb6767. Running lusrmgr.msc shows this particular user correctly in the 'Users' group and NOT in the 'Administrators' group. Which is exactly how I need it to be.

No trying to run devmgmt.msc results in a message that the user does not have sufficient rights to change device properties. So perfect! Now this user seems pretty locked down unless he logs in under a different admin account. So now if they get slammed by another malware attack, the damage should be minimal or even null.

Thanks for the good advice!
0
 
thiagotietzeCommented:
Yes, the above information is right too. The SET U is a command to quick know where your user reside.

If the user was a Domain Admin, this "Domain Group" was added to the Administrators "Local Group" in the machine (this is a default for windows), so, the problem were explained.

As a best practice, just add users to Domain Admins group, if it is a ADMIN-ONLY account.
Normally, Domain Admin accounts are not supposed to be logged on to Desktops everyday.
0
 
johnb6767Commented:
"So now if they get slammed by another malware attack, the damage should be minimal or even null."

Good news and bad news with that.....

Viruses that write to protected areas of the system, yea youre fairly safe. But the majority of the rogues write to the user profile, which by default a limited user has 99% control over..... So it will be minimal  but not foolproof.....
0
 
anuneznycAuthor Commented:
Good point JB. The problem has been that this user has (on 2 different occasions) managed to get infected w/ malware that hijacked his email address in Outlook 2003 and starting sending Spam messages by the thousands, to which the email hosting company would respond by blacklisting/locking his email address and then of course he couldn't send any messages at all.

That was a real nuisance, so I'm hoping the change in user rights will prevent this kind of attack?
0
 
johnb6767Commented:
It should help quite a bit.. Just wont stop 100% of infections......

I would start looking at disciplinary actions myself.....

Wanna find out where he is going, for proof??

IEHistoryView
http://www.nirsoft.net/utils/iehv.html

MyLastSearch
http://www.nirsoft.net/utils/my_last_search.html

Can do it from your machine to get proof. When you present that to the employee, usually has a tendency to make them become a safer Web Surfer....  :)

0
 
anuneznycAuthor Commented:
Good idea. Thanks.
0

Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

  • 5
  • 4
  • 3
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now