Local admin accounts gone haywire

[Frisk]

Hi, i hope somebody can help me.

I run a pretty largish network with 2 domain controllers. We've just
relocated our company to a large building so i've had this opportunity
to implement a solid network environment.

Until yesterday morning i had everything running great.

I split the netowork using organisational units and group policies.

e.g.

tech
sales
management

etc

all worked fine, the sales group all have very restricted privileges on
their workstations, tech could join domains and do general network
admin etc.

i thought that the icing on the cake would be to allow anyone in the
tech group to automatically logon with local administrator privileges
on any machine (theres around 200 workstations here) using their logon
(i know i should've just kept with using the local admin logon). So to
do this i added administrators to the restricted groups in the tech
group policy and made office tech (the security group which all techs
are members of) a member.

After forcing a gp update this seemed to work, all techs automatically
have local admin privileges on any workstation they logged onto, but
after a little analysis, i decided this was a little unsafe and removed
the restrictive group.

I did a few other little edits of other gp's (ive been tweaking the
network) but nothing major and nothing that should have any effect on
anything but now heres the problem.

When i log on as the domain administrator on any workstation, i no
longer have local administrative rights on that machine, unless i
rejoin the workstation to the domain, and i dont really want to have to
do that with 200+ machines when i've done it already.

Also, the tech group still always have local admin privileges on
workstations (even workstations they've never logged onto before) even
though non are members of any administrator group and i removed the
restrictive groups policy.

Just to make sure, ive just now created a fresh new tech user called
roger.rabbit

Here's the gpresult output

Microsoft (R) Windows (R) 2000 Operating System Group Policy Result
tool
Copyright (C) Microsoft Corp. 1981-1999


Created on Wednesday, March 08, 2006 at 12:26:13 PM


Operating System Information:

Operating System Type: Professional
Operating System Version: 5.0.2195.Service Pack 4
Terminal Server Mode: Not supported

###############################################################

User Group Policy results for:

CN=Roger Rabbit,OU=Tech,OU=Office,DC=reach,DC=local

Domain Name: REACH
Domain Type: Windows 2000
Site Name: Default-First-Site

Roaming profile: (None)
Local profile: C:\Documents and Settings\roger.rabbit

The user is a member of the following security groups:

REACH\Domain Users
\Everyone
BUILTIN\Users
BUILTIN\Administrators
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
\LOCAL
REACH\Office Tech
REACH\Office Admin
REACH\Office Dev


###############################################################

Last time Group Policy was applied: Wednesday, March 08, 2006 at
12:24:37 PM


===============================================================


The user received "Registry" settings from these GPOs:

Default Domain Policy
Tech


===============================================================
The user received "Internet Explorer Branding" settings from these
GPOs:

Default Domain Policy
Tech



###############################################################

Computer Group Policy results for:

CN=WS-008,CN=Computers,DC=reach,DC=local

Domain Name: REACH
Domain Type: Windows 2000
Site Name: Default-First-Site


The computer is a member of the following security groups:

BUILTIN\Administrators
\Everyone
BUILTIN\Users
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users
REACH\WS-008$
REACH\Domain Computers

###############################################################

Last time Group Policy was applied: Wednesday, March 08, 2006 at
12:24:13 PM
Group Policy was applied from: svr-bdc.reach.local


===============================================================


The computer received "Registry" settings from these GPOs:

Local Group Policy
Default Domain Policy


===============================================================
The computer received "Security" settings from these GPOs:

Local Group Policy
Default Domain Policy


===============================================================
The computer received "EFS recovery" settings from these GPOs:

Local Group Policy
Default Domain Policy


Can anyone help me understand whats going on? I really dont want to
have to rebuild, and i used to feel that i understood win2000
networking pretty well but this has just stumpt me.

I appreciate any suggestions.

 

[Florian Frommherz]

Howdy Frisk!

After forcing a gp update this seemed to work, all techs automatically
have local admin privileges on any workstation they logged onto, but
after a little analysis, i decided this was a little unsafe and removed
the restrictive group.
Okay.

When i log on as the domain administrator on any workstation, i no
longer have local administrative rights on that machine, unless i
rejoin the workstation to the domain, and i dont really want to have to
do that with 200+ machines when i've done it already.

That's clear. See: The Restricted Groups feature doesn't _add_ the users
to the admins group, it _replaces_ the users located in that group. In
simple words: you replaced yourself and the local administrators of the
machines by the tech-group as admins.

Also, the tech group still always have local admin privileges on
workstations (even workstations they've never logged onto before) even
though non are members of any administrator group and i removed the
restrictive groups policy.

After you removed the Restricted Group-policy, the tech-users still
belong to the admins group because no one took them out. You would
manually have to take them out.

Can anyone help me understand whats going on? I really dont want to
have to rebuild, and i used to feel that i understood win2000
networking pretty well but this has just stumpt me.

The easiest solution would be: add a new Restricted Groups policy and
let domain-admins have administrator rights on the local machines. Don't
forget to explicitly add the local admins to the administrators group.
After applying the GP, the tech-users will automatically drop out...

cheers,

Florian

 

[Frisk]

Thanks for that Florian,

That worked perfectly. I appreciate your help

 

[Frisk]

I hope your still here Florian

Let me just double check i implemented this right

I created a new restricted group for "administrators" and made "domain
admins" a member.

I also checked to make sure that builtin/administrator was a member of
administrators on the dc.

This worked, tech users no longer had admin privileges by default and i
could log in as administrator with administrative priviliges on
workstations, however a couple of hicups still remain!

On one of my workstations i have veritas running and lastnight it gave
me an error say that it didnt have the proper privileges to start the
veritas backup service.

And also in the application log on the dc, every 5 minutes or so, i
keep getting the same error

Event Type: Warning
Event Source: SceCli
Event Category: None
Event ID: 1202
Date: 3/9/2006
Time: 12:24:35 PM
User: N/A
Computer: SVR-PDC
Description:
Security policies are propagated with warning. 0x534 : No mapping
between account names and security IDs was done.

For best results in resolving this event, log on with a
non-administrative account and search http://support.microsoft.com for
"troubleshooting 1202 events".
A user account in one or more Group policy objects (GPOs) could not be
resolved to a SID. This error is possibly caused by a mistyped nor
deleted user account referenced in either the User Rights or Restricted
Groups branch of a GPO. To resolve this event, contact an
administrator in the domain to perform the following actions:

I did what the error suggested and troubleshooted the account, and it
responded with the "power users" account on the default domain
policy...

any suggestions to what still might be going on?

Thanks

 

[Florian Frommherz]

Howdy Frisk!

I also checked to make sure that builtin/administrator was a member of
administrators on the dc.

And ... what about the _local_ administrators on the workstations? Are
they admins as they were before? Because...

On one of my workstations i have veritas running and lastnight it gave
me an error say that it didnt have the proper privileges to start the
veritas backup service.

....this could be the reason, why veritas can't backup due to a
privileges problem. Or what does veritas run as?

And also in the application log on the dc, every 5 minutes or so, i
keep getting the same error

Event Type: Warning
Event Source: SceCli
Event Category: None
Event ID: 1202
Date: 3/9/2006
Time: 12:24:35 PM
User: N/A
Computer: SVR-PDC
Description:
Security policies are propagated with warning. 0x534 : No mapping
between account names and security IDs was done.

There's a problem when mapping the user you specified to the restricted
group. How did you specify the user? By name? By SID? What did you do
with the power users account? Remeber: domain controllers don't know
about "power users" - they don't exist in domains.

cheers,

Florian

 

[Frisk]

Hey Florian,

Thanks for all your help.

I just logged onto a workstation as local administrator and noticed in
the users and passwords that both administrator accounts appear as
debugger users for some reason. I assumed they were administrators
originally as i could view other user documents and settings, and
change the time! I think this maybe had been set accidently by on of my
teccie staff tho when they were installing the machine.

However i checked 2 other of my workstations and when i log on as
either local or domain administrator, i dont see the users and
passwords control panel?

After setting the restricted group back yday i removed it today, but it
should still be applied shouldnt it... ?

Veritas ran using the administrator account... the domain administrator

I still dont think the proper priviliges have been restored yet.

Regarding the mapping error... after seeing the error i entered:

FIND /I "Cannot find" %SYSTEMROOT%\Security\Logs\winlogon.log

and it returned "Cannot find Power Users" and when i identified the gp
using

FIND /I "Power Users" %SYSTEMROOT%\Security\templates\policies\gpt*.*

it returned the default domain policy

now i think this all ties in with what happened before as the only
people that use the power users privilige are the tech group (for
installing programs, and i think some also have that privilige as
default on their machines, some have local admin)

I appreciate your help

 

[Florian Frommherz]

Howdy Frisk!

I just logged onto a workstation as local administrator and noticed in
the users and passwords that both administrator accounts appear as
debugger users for some reason. I assumed they were administrators
originally as i could view other user documents and settings, and
change the time! I think this maybe had been set accidently by on of my
teccie staff tho when they were installing the machine.
However i checked 2 other of my workstations and when i log on as
either local or domain administrator, i dont see the users and
passwords control panel?

I would have left the gp there to make sure that really _all_ machines
have applied the new policy. It can't do any harm, anyway.

I still dont think the proper priviliges have been restored yet.

I don't think so either. What confuses me is, that the error message
indicates a "problem" with the "Power Users" what doesn't make any
sense, since you added only admins to the restricted group.

Maybe you could check, if and when the gp got applied by using
"gpresult.exe" on the client machines. Can you post the snippet of
winlogon.log that indicates the error?

cheers,

Florian

 

[Frisk]

Hi Florian

Ok, i added back the restrictive group... i created the group
builtin/administrators and made the administrator and domain admins
members of the group.

Our domain is called reach.local, when i originally created the
restricted group for tech i'm sure i only created it for the tech
organisational unit but i've created the above restricted group at the
domain level (the default domain policy for reach.local). Could this
have something to do with the problem? I assumed that the default
domain policy would overwrite a policy further in the domain tree.

Here's a snippet from the winlogon.log

----Configuration engine is initialized successfully.----

----Reading Configuration template info...


----Configure User Rights...
Configure S-1-5-32-544.
Configure S-1-5-32-551.
Configure Power Users.
Error 1332: No mapping between account names and security IDs was done.
Cannot find Power Users.
Configure S-1-5-32-545.
Configure S-1-1-0.
Configure S-1-5-6.
Configure S-1-5-21-1993962763-1897051121-839522115-1000.
Configure S-1-5-21-1993962763-1897051121-839522115-501.

User Rights configuration completed with error.


----Configure Group Membership...
Configure Administrators.

Group Membership configuration completed successfully.


I appreciate your help florian

if u email me at (e-mail address removed), i'll email you the log if it helps

 

[Frisk]

Hi Florian

Also, looking at the event logs for veritas its failing because the
administrator account doesnt have the necessary user rights to "log on
as a service"...

whats the easiest way to reset the domain administrator account to its
original default rights on the domain?

Thanks for your help