W2kLocalGroupPolicy
ConfigurationRules for LocalGroups on Windows 2000 client computers
Options

 

ß Back    www.TryWare.Dk

Index:


Activating /Disabling Configuration Rules
Built-in local groups

Create Reports

Main Menu

 

 

 

Main Menu:

 


Delete logfiles older than


Use this function to delete logfiles of ComputerNames deleted from Your Domains ServerManager. The button deletes all logfiles, but they are regenerated from W2kLocalGroupRights.exe running on Your clients LoginScript.


Activate / Disable Configura-tionfiles


The 8 txt-files (1-LR) – (4NR) holding
ComputerNames, DomainUserNames and LocalUserNames dosn’t work before You Activates them.

Activating is done for each of the built-in local groups on the W2k-clients:
Administrators, Backup operators, Guests, Power Users, Replicator and Users.

If You want to disable one or more of the 8 txt-files, don’t delete the file(s), just Disable /them.

Activating/Disabling the txt-files works from the next run of W2kLocalGroup-Rights.exe on Your clients LoginScript.


(1-LR) 


YES: DomainUsers using ComputerNames in £’Computer’-DomainUserYes.txt

For each activated local group one txt-file for each computer holding the DomainUserNames You want to create as a member of the activated built-in local group on this computer.

We
recommend using this LowRisk ConfigurationRule


(1-NR)  


NO:  DomainUsers using ComputerNames in £’Computer’-DomainUserNo.txt

For each activated local group one txt-file for each computer holding the DomainUserNames You want to remove from the activated built-in local group on this computer.

 


(2-LR) 


YES: LocalUsers using ComputerNames in £’Computer’-LocalUserYes.txt

For each activated local group one txt-file for each computer holding the LocalUserNames You want to create as a member of the activated built-in local group on this computer.

 


(2-NR) 


NO:  DomainUsers using ComputerNames in £’Computer’-LocalUserNo.txt


For each activated local group one txt-file for each computer holding the LocalUserNames You want to remove from the activated built-in local group on this computer.

 


(3-HR) 


YES: Everybody using Computernames in £ComputerNameYes.txt


For each activated local group one txt-file holding the ComputerNames where You want to create everybody who logins as a member of the activated built-in local group on these computers.

Warning: Only use this HighRisk ConfigurationRule on computers where a lot of users logins. Everyone who logins to these computers, gains total admin-power over all the other computers in this file, if You activates it for the built-in local Administrators group.


(3-NR) 


NO:  Nobody using Computernames in £ComputerNameNo.txt

For each activated local group one txt-file holding the
ComputerNames where You want to remove every DomainUser (who logins) from the activated built-in local group on these computers.


(4-HR) 


YES: The user on any Computer if DomainUser in £DomainUserYes.txt

For each activated local group one txt-file holding the DomainUserNames You want to create as a member of the activated built-in local group on any computer on Your Network.

Warning: If You activates this ConfigurationRule for the built-in local Administrators group, the DomainUsers in this file gains total admin-power on all the computers he/she logins to on Your Network.


(4-NR) 


NO:  The user on any Computer if DomainUser in £DomainUserNo.txt

For each activated local group one txt-file holding the
DomainUserNames You want to remove as a member of the activated built-in local group on any computer on Your Network.

 

Create Reports:


When did Your users reboot their com-puters last time 

 


Important: You should run this report frequently!

Activating ConfigurationRules doesn’t really ensure, that the DomainUsers and LocalUsers are created or removed from the local groups on the W2k-client computers.

All Your activated ConfigurationRules are only run on the computers, when Your users logins to Your computers, and if You have forced them to run W2kLocalGroupRights.exe in their LoginScript.

So it becomes important, that Your users logins every day. Use this report to ensure, that Your users does it. Running the report, You have an apportunity to make a NET SEND message to the computers, not being rebooted frequently.

You can also run this report by making a shortcut to W2kLastReboot.exe saved in the log-file directory on Your server.


Members of local admin group on all compu-ters


Here You can find all the
DomainUsers and LocalUsers being members of the local Administrators Group on every W2k-computers attached and running on Your Network.


Passwords for local adminini-strator on the client  computer


The
local administrators password on Your W2k-clients must be different for each of Your W2k-clients!


Otherwise any of Your
DomainUsers guessing/hacking the password will gain total control over all of the other W2k-client computers, from his/hers own W2k-client computer.

Because of this security-risk, all Your users running W2kLocalGroupRights-.exe will have a random password generated for the
local administrator. The random password will only be generated if the global Domain Admins group is a member of the local administrators group, and if the random password can be processed in this report.

This shouldn’t give You any problems, as the
global Domain Admins group always is a member of the local administrators group on each W2k-client computer.

If You want to know the random password generated, then use this report.

 

You can also run this report by making a shortcut to W2kLocalPassword.exe saved in the log-file directory on Your server.


Split following reports if X of first characters  in compu-ternames are identical

 

If You have choosed to arrange Your ComputerNames starting with the same characters for every department, and with other same characters for the other departments, You can split the reports for each department.

Input the number of characters, that are the same for each department.

 

 


Users
not granted rights because of the current rules


Here You can find all the
DomainUsers and LocalUsers that has been removed from the activated local groups on all the computers on Your Network.


Users granted rights because of the current rules


Here You can find all the
DomainUsers and LocalUsers that has been created on the activated local groups on all the computers on Your Network.

 

Activating / Disabling Configuration Rules:




Activate / Disable Configura-tionfiles


The 8 txt-files (1-LR) – (4NR) holding
ComputerNames, DomainUserNames and LocalUserNames, and the 5 ConfigurationRules (5-HR) – (8-NR), doesn’t work before You Activates them.


(5-LR) 


Every character in ComputerName identical with LoginName

For each activated local group the DomainUser is
created as a member of the activated built-in local group on the computer if ComputerName is identical with the DomainUsers name.


(5-HR) 


Characters (from left) in ComputerName identical with LoginName

For each activated local group the DomainUser is
created as a member of the activated built-in local group on the computer if the characters (You input) from left in ComputerName is identical with the charactes (from left) in DomainUsers name.

Example:
ComputerName =   SALES01
DomainUserName= SALESJOHN
Characters =          5    

Warning: If You activates this ConfigurationRule for the built-in local Administrators group, and You choose a low number of characters, many of Your DomainUsers can gain total admin-power on all the computers he/she logins to on Your Network.


(6-LR) 


Number of logins before earlier granted users are removed

For securityreasons the activated ConfigurationRules is only activated from the second time, the user logins to the computer.

If all Your users always uses their own computer, and nobody uses their colleagues computers, You should set this ConfigurationRule to 0 (zero).

When users borrows each others computers, they have to make 2 logins each time they get back to their own computer (before the ConfigurationRules have effect).

If that is a problem, set this ConfigurationRule for each of the activated
local groups.


(7-NR) 


NOBODY but the LocalAdministrator and DomainAdminsGroup

Set this ConfigurationRule for the activated
local administrators group if You want to be totally sure, that no other than members of the global Domain Admins group gains total admin-power on all computers.


(8-NR) 


Remove Local users other than LocalAdministrator and DomainAdminsGroup

Warning: Setting this rule for the activated local Guests groups, You will remove the local guest user from the local Guests group.


User Contact:


Write Your occupation, name and phone number here, because this will be used in messages to Your users.


Path on server:


Input the local hard disk drive letter on the server, where You want the log-files to be created (same place as W2kLocalGroupRights.exe)


ServerName


Input the servers name in Your domains Server Manager preceded with \\


Servers DomainName


Input the DomainName where the server is installed.

 

Built-in local groups:


Administrators


Members of this local group have full control over the computer. It is the only built-in group that is automatically granted every built-in right and ability in the system.


Backup Operators


Members of this local group can back up and restore files on the computer, regardless of any permissions that protect those files. They can also log onto the computer and shut it down, but they cannot change security settings.


Guests


This local group allows occasional or one-time users to log on to a copmuters built-in local Guest-User and be granted limited abilities. Members of this local group can also shut down the system.


Replicator


This local group supports directory replication functions. The only member of this local group should be a DomainUser used to log on the Replicator services of the domain controller. Do not add the DomainUsers of actual users to this local group.


Power Users


Members of this local group can create local UserNames, but can only modify and delete their own local UserNames. They can create local groups and remove local users from their own local groups.
They can also remove local users from the local Power Users, local Users, and local Guests groups.

They can’t modify the local Administrators or local Backup Operators groups, nor can they take ownership of files, back up or restore directories, load or unload device drivers, or manage the security and auditing logs on the computer.


Users


Members of the Users group can perform most common tasks, such as running applications, using local and network printers, and shutting down and locking the workstation. Users can create local groups, but can modify only the local groups that they created. Users cannot share directories or create local printers.
All new
Local Users created are added to this group.


Top of this site

 

:o) Your brain is like a parachute. It works best when it's open

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

w2k local admin group windows 2000 permissions

 

local admin group W2k: Your colleague's got total power of Your pc from his own computer on Your corporate Network: Read TryWareDk's Website - Microsoft Windows 2000 HTML Securityhole Member Local Administrators Group Hotfix Admin Admins Administrator Groups Members Security Office program programs software freeware shareware Outlook Distributionsliste Email Adressbook Adressebog Mandatberegning

event eventlog intranet event-id event-source applications system security  error warning information