Is there a known issue like this???????????

Hi all

I have a 2003 domain. 2 Windows 2003 servers which is DC's and the
workstations are xp pro except for one which is 2000 professional. I was
busy implementing a GPO when the following happened. When logging on to the
workstations with the administrative account you are restricted as if you
are a domain user. After altering this issue was sorted out except for the
windows 2000 machine which continues to handle the admin account with
restrictive permissions. All the xp pc's on the network is fine

Is there a known issue where 2000 professional doesn't work properly in a xp
pro/2003 network and should i be putting xp pro on this pc also or what. Any
ideas??????? Thanks

Sounds like you implemented restricted groups and then rolled back the GPO
in question. If this is the case you have to manually reconfigure any 2000
machines as restricted groups doesn't automatically undo in 2k. That's a
new feature introduced in NT 5.1 and later.

So in answer to your question, there is no known issue where 2000 doesn't
work with XP and 2003 in general, although there are behavioural
differences. If you've backed out a restricted groups policy setting, then
I would expect XP and k3 to revert and not 2k, as stated above.

Check the membership of the (local) administrators group on the computer in
question and add domain admins back in there if it's missing.

--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net

Hi paul

it makes sense what you are saying because i logged on a xp pc with exactly
the same account and i could work as a domain admin which makes 2000 Pro the
culprit.

You recommend the following "Check the membership of the (local)
administrators group on the computer in
> question and add domain admins back in there if it's missing..." but how
> ???? because even if i log in with the administrator account on that pc i
> can access gpedit.msc through the run command because i don't have rights?

Thanks for your help


"Paul Williams [MVP]" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Sounds like you implemented restricted groups and then rolled back the GPO
> in question. If this is the case you have to manually reconfigure any
> 2000 machines as restricted groups doesn't automatically undo in 2k.
> That's a new feature introduced in NT 5.1 and later.
>
> So in answer to your question, there is no known issue where 2000 doesn't
> work with XP and 2003 in general, although there are behavioural
> differences. If you've backed out a restricted groups policy setting,
> then I would expect XP and k3 to revert and not 2k, as stated above.
>
> Check the membership of the (local) administrators group on the computer
> in question and add domain admins back in there if it's missing.
>
> --
> Paul Williams
> Microsoft MVP - Windows Server - Directory Services
> http://www.msresource.net | http://forums.msresource.net
>
>
>
>

.. . . and yes, you should be looking at retiring the W2k
as that OS is reaching its end of support lifetime.

"MSExchange2003Student" <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
> Hi all
>
> I have a 2003 domain. 2 Windows 2003 servers which is DC's and the
> workstations are xp pro except for one which is 2000 professional. I was
> busy implementing a GPO when the following happened. When logging on to
> the workstations with the administrative account you are restricted as if
> you are a domain user. After altering this issue was sorted out except for
> the windows 2000 machine which continues to handle the admin account with
> restrictive permissions. All the xp pc's on the network is fine
>
> Is there a known issue where 2000 professional doesn't work properly in a
> xp pro/2003 network and should i be putting xp pro on this pc also or
> what. Any ideas??????? Thanks
>

Fire up a command prompt and type NET LOCALGROUP ADMINISTRATORS

That will output the members of the group. You have read access by default.

--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net

Hi, i did run the command and this is what i get :

Aliasname - Administrator
Comment........

Members
-------------------------------------------------------------------------------------------
Administrator
<MyDomain>\Local ADMINS

The command was completed successfully

What must i do from here as i tried to log-in after i ran the command with
the domain administrator account and was still restricted? Please help me?


"Paul Williams [MVP]" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Fire up a command prompt and type NET LOCALGROUP ADMINISTRATORS
>
> That will output the members of the group. You have read access by
> default.
>
> --
> Paul Williams
> Microsoft MVP - Windows Server - Directory Services
> http://www.msresource.net | http://forums.msresource.net
>
>
>

Basically, restricted groups policy has removed domain admins from that
group. So, assuming you've undone the restricted groups policy (unlinked,
or backed out the setting) you need to logon as either administrator or a
member of local admins and add domain admins back into the administrators
group. You will need to do this on every affected machine. If there's more
than two or three, you need to do this with a script or command line tool.
Here's a couple of ways:
-- http://www.msresource.net/content/view/45/47/


Otherwise, consider CUSRMGR.

--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net

Hi paul

I have totally deleted the policy that was causing this from Group policy
Management on the server. You say "...you need to logon as either
administrator or a member of local admins and add domain admins back into
the administrators
group...." - Where must i do this because if i log onto the win2000 machine
which is the only machine with the problem that i do not have admin rights
so i cannot add anyone to any group. Sorry if i don't get it but its my
first time in such a awkward predicament. Thanks for the help so far.


"Paul Williams [MVP]" <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
> Basically, restricted groups policy has removed domain admins from that
> group. So, assuming you've undone the restricted groups policy (unlinked,
> or backed out the setting) you need to logon as either administrator or a
> member of local admins and add domain admins back into the administrators
> group. You will need to do this on every affected machine. If there's
> more than two or three, you need to do this with a script or command line
> tool. Here's a couple of ways:
> -- http://www.msresource.net/content/view/45/47/
>
>
> Otherwise, consider CUSRMGR.
>
> --
> Paul Williams
> Microsoft MVP - Windows Server - Directory Services
> http://www.msresource.net | http://forums.msresource.net
>
>

In your previous post you showed that you do have administrative privileges:

Administrator
<MyDomain>\Local ADMINS


Those are both members of administrators, which means in order to do
anything you must logon as either Administrator or a member of the Local
ADMINS group.

--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net

Paul, NO i do NOT have admin rights when i log onto that workstation with
the admin account. that is the whole issue here

Any ideas?

"Paul Williams [MVP]" <(E-Mail Removed)> wrote in message
news:%23qQDVg$(E-Mail Removed)...
> In your previous post you showed that you do have administrative
> privileges:
>
> Administrator
> <MyDomain>\Local ADMINS
>
>
> Those are both members of administrators, which means in order to do
> anything you must logon as either Administrator or a member of the Local
> ADMINS group.
>
> --
> Paul Williams
> Microsoft MVP - Windows Server - Directory Services
> http://www.msresource.net | http://forums.msresource.net
>
>