Having trouble restricting Rights

[Chris Coates]

I need to restrict the rights on an OU of Win 2K Servers so that only the
DOMAIN Admins have their right to create shares.
I went into the Group Policy Settings on the OU and under Computer
Settings - Windows Settings - Local Policies - User Rights assignment - I
set "Create Permanent Shared Objects" to just Domain Admins.
However a user who is in the LOCAL administrators group can still create
shares.
Even though he is a local admin ( Which he has to be) I need to apply a
couple restrictions.
I also applied the restriction from the same location "Shut Down the System"
so only domain admins can shut down. This one works. Local administrators
cannot shut down the server.
Why is one policy (shutdown) working and the other (Create Shares not)?
I understand I could remove my local admin from the admins group and just
delegate certain rights but in this case that is not an option.

Thanks

ccoates

 

[Tim Springston \(MSFT\)]

Hi Chris-

You may have already done this, but what is the effective setting that
appears for that user right in SECPOL.MSC on that machine? Does it show the
setting you were hoping to see in the Effective field?

The good way to see if there is an error while processing a security setting
such as user rights is to enable WINLOGON logging. If there is a failure
while configuring the user right then it will will appear in that log on
that machine.

245422 How to Enable Logging for Security Configuration Client Processing in
http://kb/article.asp?id=Q245422

Offhand, the only time I can recall seeing similar behavior occuring is when
there are unresolvable SIDs (from deleted groups or accounts for example) in
the user right list. The processing fails and no other accounts are
processed for that user right. WINLOGON logging will show it if that is the
case.

Please repost with what you find.