Administrator is not the "Boss" on this machine.

  • Thread starter Thread starter GSCheyenne
  • Start date Start date
G

GSCheyenne

I'm running Win2000Pro on a notebook, which only I use,
both as a standone and when I'm at my office to network to
my desktop (running win98se), which only I use.

I really have no real need for "security" in the typical
sense of having one computer or network shared among
numerous users. (I suppose if somebody steals the
computers, they can peek at my blog, or other stuff
similarly useless to anyone else, but then I'll have the
greater worry about getting the computer back.)

So, I want to configure both computers with the MINIMUM of
passwords/lockouts/checkpoints and the MAXIMUM of free and
easy access . . . from myself to myself by myself.

I set up an "account" for myself in the "administrator"
group, naturally. I thought, and intend, that I have ALL
the rights, and nothing I can't change, and that seemed to
be working for a while.

Then the computer began to lock me out of certain
functions, such as changing the "location" of the computer
for dial-up rules. (Although I can go into the DUN
properties and change the rule manually, I can't access
"locations." I get an error saying that the access is
cancelled because of "restrictions on the computer" and "go
see you administrator." BUT I'M SUPPOSED TO BE THE
ADMINISTRATOR. More recently, it refused to send email,
with a msg that "relaying is denied by the adminstrator."

Apparently, in the early days of my stumbling around this
OS (oh, I should mention I've had this only about a month,
and Win2000Pro came with the machine, and w/o
documentation), I must have put some restriction (or
removed some rights) from the administrator definition (is
that what's called "group policy"?). I don't know if this
is related, but I know that I went into the list of
"services" and disabled some which I thought were accessing
websites I had no interest in. Could I have changed one I
shouldn't have?

How can I set if back to its default, where I get ALL the
rights?

Yes, of corse, I can reformat and reinstall WIN2000, BUT
I'm spent most of the month installing and customizing a
few dozen programs, toolbars, desktop formats, and such,
and it would waste a great deal of time if all that were
lost and had to be re-done. If it were necessary to
reformat/reinstall, is it possible to save my configs on
another computer?

Help! anyone!

Thanks.

G.
 
The link below describes how to reset defined security settings back to default
levels. You can simply copy and paste the command into your command prompt window. If
you can not run that command you may not be logged on as an administrator.

http://support.microsoft.com/default.aspx?scid=kb;EN-US;313222

If you messed with Group Policy settings for user configuration the solution above
will not reverse those changes. If problems persist I suggest you open local Group
Policy via gpedit.msc in the run box and go to user configuration/administrative
templates and browse the various settings of which there are a couple hundred and if
you see any that are enabled or disabled, that may be causing the problem. Read the
descriptions of the defined setting and then reverse the restriction if any are found
as if setting is enabled set it to disabled. If nothing is defined, look for a
setting that sounds like it may be restricting your access and either enable or
disable it as appropriate. Also be sure to run a full virus scan on your computer
using the latest available definitions from your vendor as unexplained loss of access
could mean that you have been infected or hacked. Also run AdAware to check for
parasites. Even if you are more concerned about convenience that security you MUST
use a strong password for your administrator account as many trojans/malwares will
try to hack it and if it is weak or none they will be able to install themselves. --
Steve

http://www.microsoft.com/athome/security/protect/default.aspx
http://www.download.com/3000-2094-10045910.html?legacy=cnet
 
Thanks. I followed that, and found that all of the administrative
template\system\logon and \group policy and \windows file protection
items were "not configured."

I was still locked out of some control panel functions, particularly
"power options" and "phone and modem options;" then when I disabled
"Remove Network & Dialup Connections from Start Menu" I get in. (Not
the most obvious/intuitive title for that setting, I'd say.)

More surprising than that, now the desktop computer can see the
notebook, which it couldn't before, although the notebook always could
see the desktop. (Is is important to know why?)

There is still one, potential, issue. When I tried to change some
policy, I'd see two columns, one for "setting" (or something like that)
and the other for "effective setting," which seemed to refer to the
"domain" settings, which were overriding my changes preventing them from
taking effect. (But now, as usual, I can't get back to where I saw
that, and have only the one column for "settings." Has this cleared away
also?? Too good to be true.) Is there somewhere else I'd need to go to
change the "domain" policies?


In user configuration/administrative templates/system/group policy
there's one fhr "group policy domain controler selection" which
"enabled" and selects "use the primary domain controller."

Is this something I ought to know more about?




Many thanks, Steve, for leading me this far.


GSC

but I can open Network and Dial-up Connections."
 
The settings you saw for local versus effective were in Local Security Policy that
you can open via secpol.msc. Security policy is a subset of Group Policy computer
configuration. Apparently you computer is member on an Active Directory domain. If
that is the case then policy restrictions that you are experiencing are probably
coming from domain policy and not local Group Policy. Domain policy will always
override local policy when there are policy settings defined in both. You can use the
gpresult support tool to see what polices are being applied to both user and
computer. If you use it note that the /v switch can display much more detailed info.
Gpresult and other support tools are on the install cdrom in the support/tools folder
where you have to run the setup there to install them as a set. I am not sure why you
can see the computer that you could not before. It may have been a security option
for anonymous access that was changed that can cause browsing not to be 100 percent
reliable. The policy you mention for domain controller is not important to the
function of your computer itself. It just decides which domain controller will be
used when editing Group Policy for the domain from your computer. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;321709
 
Back
Top