Jump to content

TS 2003 and Restricted Groups

Guest Lasse

By Guest Lasse
in Windows NT Server

 Share

Recommended Posts

Guest Lasse

Guest Lasse

Posted
Posted

Hi

 

We have a Terminal Server 2003 (Member server) in our AD and I am the

administrator. Currently when I login as Administrator I don't have

administrative rights but if I login with my own username/password I do.

What I don't understand is that both my own user and the Administrator are

members of <Domain>\Administrators, Domain Admins and Enterprise Admins but

why the difference in rights when logged on to the TS?

We have a GPO set for the TS which sets Restricted Groups like this:

Group: BUILTIN\Administrators

Members:<Domain>\Administrators_company

Member of: BUILTIN\Administrators

The Administrators_company is a group with some of the superusers which have

administrator rights where both Administrator and my own user is member of.

 

I can actually login to the server with my own username and insert the

<Domain>\Administrator in the Administrators group under "Local Users and

Groups" and then it works but it's only for a short time, I guess it's

because of the GPO overwriting the settings.

 

As far as I understand I should be able to remove the GPO with the

Restricted Group without any problems because it only adds the

Administrator_company group as local administrator.

 

I hope this makes sense!

 

/Lasse

  • Replies 2
  • Created
  • Last Reply

Popular Days

Popular Days

Guest Lasse

Guest Lasse

Posted
Posted

RE: TS 2003 and Restricted Groups

 

I have just removed the GPO with the restricted groups and afterwards it

worked like it should.

I first assumed that Administrator was part of the group which was defined

in restricted groups but it wasn't.

This means that even if you use the domain administrator account it will

loose it's administrative rights if it's defined in restricted groups.

 

"Lasse" wrote:

> Hi

>

> We have a Terminal Server 2003 (Member server) in our AD and I am the

> administrator. Currently when I login as Administrator I don't have

> administrative rights but if I login with my own username/password I do.

> What I don't understand is that both my own user and the Administrator are

> members of <Domain>\Administrators, Domain Admins and Enterprise Admins but

> why the difference in rights when logged on to the TS?

> We have a GPO set for the TS which sets Restricted Groups like this:

> Group: BUILTIN\Administrators

> Members:<Domain>\Administrators_company

> Member of: BUILTIN\Administrators

> The Administrators_company is a group with some of the superusers which have

> administrator rights where both Administrator and my own user is member of.

>

> I can actually login to the server with my own username and insert the

> <Domain>\Administrator in the Administrators group under "Local Users and

> Groups" and then it works but it's only for a short time, I guess it's

> because of the GPO overwriting the settings.

>

> As far as I understand I should be able to remove the GPO with the

> Restricted Group without any problems because it only adds the

> Administrator_company group as local administrator.

>

> I hope this makes sense!

>

> /Lasse

Guest Priya Raghavan [MSFT]

Guest Priya Raghavan [MSFT]

Posted
Posted

Re: TS 2003 and Restricted Groups

 

Thanks for the update.

 

--

Thanks,

Priya.

 

--

This posting is provided "AS IS" with no warranties, and confers no rights.

 

"Lasse" <Lasse@discussions.microsoft.com> wrote in message

news:873C8B89-0222-4FC8-BE2D-0119010639A8@microsoft.com...

>I have just removed the GPO with the restricted groups and afterwards it

> worked like it should.

> I first assumed that Administrator was part of the group which was defined

> in restricted groups but it wasn't.

> This means that even if you use the domain administrator account it will

> loose it's administrative rights if it's defined in restricted groups.

>

> "Lasse" wrote:

>

>> Hi

>>

>> We have a Terminal Server 2003 (Member server) in our AD and I am the

>> administrator. Currently when I login as Administrator I don't have

>> administrative rights but if I login with my own username/password I do.

>> What I don't understand is that both my own user and the Administrator

>> are

>> members of <Domain>\Administrators, Domain Admins and Enterprise Admins

>> but

>> why the difference in rights when logged on to the TS?

>> We have a GPO set for the TS which sets Restricted Groups like this:

>> Group: BUILTIN\Administrators

>> Members:<Domain>\Administrators_company

>> Member of: BUILTIN\Administrators

>> The Administrators_company is a group with some of the superusers which

>> have

>> administrator rights where both Administrator and my own user is member

>> of.

>>

>> I can actually login to the server with my own username and insert the

>> <Domain>\Administrator in the Administrators group under "Local Users and

>> Groups" and then it works but it's only for a short time, I guess it's

>> because of the GPO overwriting the settings.

>>

>> As far as I understand I should be able to remove the GPO with the

>> Restricted Group without any problems because it only adds the

>> Administrator_company group as local administrator.

>>

>> I hope this makes sense!

>>

>> /Lasse

 Share
Go to topic listing
×
×
  • Create New...