You Cannot Restrict Domain Users Who Have Local Administrator Permissions from Resetting and Registering Computer Accounts (824195)
The information in this article applies to:
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Server
SYMPTOMSWhen you try to configure computer object permissions in the Active Directory directory service so that users can join their computers to the domain, and you also want to make sure that all the following restrictions are enforced - Only a domain administrator can register a computer account.
- Users cannot reset a computer account.
- Users cannot register a computer account.
- Users have local Administrator permissions on their own respective computers, and they have Domain Users permissions in the domain.
your attempt to enforce these restrictions is unsuccessful. Specifically, users can reset and register the computer account in the domain. CAUSEThis issue occurs because, if you grant local Administrator permissions to a user, that user has access to the computer account password and can reset or register the computer account in the domain. The computer's password is stored in a local secret location that is fully accessible to the local administrator.
| Modification Type: | Major | Last Reviewed: | 8/27/2003 |
|---|
| Keywords: | kbwinservds kbActiveDirectory kbprb KB824195 kbAudITPRO |
|---|
|