TS 2003 and Restricted Groups

  • Thread starter Thread starter Lasse
  • Start date Start date
L

Lasse

Guest
Hi

We have a Terminal Server 2003 (Member server) in our AD and I am the
administrator. Currently when I login as Administrator I don't have
administrative rights but if I login with my own username/password I do.
What I don't understand is that both my own user and the Administrator are
members of <Domain>\Administrators, Domain Admins and Enterprise Admins but
why the difference in rights when logged on to the TS?
We have a GPO set for the TS which sets Restricted Groups like this:
Group: BUILTIN\Administrators
Members:<Domain>\Administrators_company
Member of: BUILTIN\Administrators
The Administrators_company is a group with some of the superusers which have
administrator rights where both Administrator and my own user is member of.

I can actually login to the server with my own username and insert the
<Domain>\Administrator in the Administrators group under "Local Users and
Groups" and then it works but it's only for a short time, I guess it's
because of the GPO overwriting the settings.

As far as I understand I should be able to remove the GPO with the
Restricted Group without any problems because it only adds the
Administrator_company group as local administrator.

I hope this makes sense!

/Lasse
 
RE: TS 2003 and Restricted Groups

I have just removed the GPO with the restricted groups and afterwards it
worked like it should.
I first assumed that Administrator was part of the group which was defined
in restricted groups but it wasn't.
This means that even if you use the domain administrator account it will
loose it's administrative rights if it's defined in restricted groups.

"Lasse" wrote:

> Hi
>
> We have a Terminal Server 2003 (Member server) in our AD and I am the
> administrator. Currently when I login as Administrator I don't have
> administrative rights but if I login with my own username/password I do.
> What I don't understand is that both my own user and the Administrator are
> members of <Domain>\Administrators, Domain Admins and Enterprise Admins but
> why the difference in rights when logged on to the TS?
> We have a GPO set for the TS which sets Restricted Groups like this:
> Group: BUILTIN\Administrators
> Members:<Domain>\Administrators_company
> Member of: BUILTIN\Administrators
> The Administrators_company is a group with some of the superusers which have
> administrator rights where both Administrator and my own user is member of.
>
> I can actually login to the server with my own username and insert the
> <Domain>\Administrator in the Administrators group under "Local Users and
> Groups" and then it works but it's only for a short time, I guess it's
> because of the GPO overwriting the settings.
>
> As far as I understand I should be able to remove the GPO with the
> Restricted Group without any problems because it only adds the
> Administrator_company group as local administrator.
>
> I hope this makes sense!
>
> /Lasse
 
Re: TS 2003 and Restricted Groups

Thanks for the update.

--
Thanks,
Priya.

--
This posting is provided "AS IS" with no warranties, and confers no rights.

"Lasse" <Lasse@discussions.microsoft.com> wrote in message
news:873C8B89-0222-4FC8-BE2D-0119010639A8@microsoft.com...
>I have just removed the GPO with the restricted groups and afterwards it
> worked like it should.
> I first assumed that Administrator was part of the group which was defined
> in restricted groups but it wasn't.
> This means that even if you use the domain administrator account it will
> loose it's administrative rights if it's defined in restricted groups.
>
> "Lasse" wrote:
>
>> Hi
>>
>> We have a Terminal Server 2003 (Member server) in our AD and I am the
>> administrator. Currently when I login as Administrator I don't have
>> administrative rights but if I login with my own username/password I do.
>> What I don't understand is that both my own user and the Administrator
>> are
>> members of <Domain>\Administrators, Domain Admins and Enterprise Admins
>> but
>> why the difference in rights when logged on to the TS?
>> We have a GPO set for the TS which sets Restricted Groups like this:
>> Group: BUILTIN\Administrators
>> Members:<Domain>\Administrators_company
>> Member of: BUILTIN\Administrators
>> The Administrators_company is a group with some of the superusers which
>> have
>> administrator rights where both Administrator and my own user is member
>> of.
>>
>> I can actually login to the server with my own username and insert the
>> <Domain>\Administrator in the Administrators group under "Local Users and
>> Groups" and then it works but it's only for a short time, I guess it's
>> because of the GPO overwriting the settings.
>>
>> As far as I understand I should be able to remove the GPO with the
>> Restricted Group without any problems because it only adds the
>> Administrator_company group as local administrator.
>>
>> I hope this makes sense!
>>
>> /Lasse
 
Back
Top