I have a serious problem with my domain at work. I work in a school, we used to have one windows 2003 server as a DC. Meanwhile I installed another server with 2008 r2 platform and set it as additional DC. Then I reinstalled the first one so, now both of them have 2008 r2 operating system. Active directory with users and policies was created few years ago and worked fine. There were basically 3 types of users: - student (user with minimal rights) - teacher, and other staff (SuperUser) - administrator (domain admin) Until few days everything worked fine, as only administrator was able to use Remote Desktop or access for example server's c$ or d$ drive. Now somehow it's all messed up, and I don't recall doing any changes in AD or GP. So symptoms are these: - Students, teachers and all other users are able to connect via remote desktop to any machine including server. - All of them are able to access \\server\c$ or similar folders by DEFAULT (this did not change on other workstations, only servers) So my questions are these: Does anyone know this kind of behaviour from experience to give me fast solution? If not, where exactly in active directory group policy I can reset those options: - forbid using of remote desktop for all user except Administrator - forbid browsing of any folders by any users unless it's specifically shared to that user Another thing: From a XP computers lately I've been getting message that I can't run Remote Administrator, no matter if I'm logged as administrator or other user Does it have something to do with the fact I've raised functionality level of domain to 2008 r2? Message displayed is: "Remote computer requires network level authentication, which your computer does not support." Thanks in advance

Hi, First: Sounds like your users must be local administrator (at least), logon with one of your student account and run whoami /groups, run RSoP. Second: Run RSoP and let we see the results.Mohammad Javad Bagdeli

Hi, First, there is only one student account named 'student' for all students to log. Second, right now I'm at home and I'm connected to server via TeamViewer vpn. I've tried to log to one of XP machines as student (from server that I've connected via VPN) but in this case it seems restriction works fine, so I couldn't log in due to restrictions. However, when I try to log to server as student from here (using static IP i got from TeamViewer) I succeed, however I couldn't run cmd due to restrictions. But the problem is that I shouldn't be able to do it at all with student account. Can I somehow get this data logged as administrator? What exactly should I do after i run RSop?

I cannot try this on Windows 7 machine, since they are all turned off at the moment, but today I was normally able to log using teacher's account via Remote Desktop. Can it be somehow only windows7 and server 2008 machines are affected to this? (only regarding remote desktop, cause from XP i was able to browse c$ folder on server, logged as student)

I've managed to log on server using teacher's account (also shouldn't be able to do it) via TeamViewer VPN and i run whoami/groups This is the output: GROUP INFORMATION ----------------- Group Name Type SID Attributes ========================================== ================ ============ ================================================== Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group BUILTIN\Administrators Alias S-1-5-32-544 Group used for deny only BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Group used for deny only NT AUTHORITY\REMOTE INTERACTIVE LOGON Well-known group S-1-5-14 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group Mandatory Label\Medium Mandatory Level Label S-1-16-8192 Mandatory group, Enabled by default, Enabled group Interesting thing as I restricted access to C drive of server to user 'profesor' I still could output it to C$ as you can see below: C:\Users\profesor>whoami /groups >c:\whoami.txt Access is denied. C:\Users\profesor>whoami /groups >\\server\c$\whoami.txt C:\Users\profesor>

When i run RSoP it asked me about running mmc.exe. I accepted and it opened Resultant set of policy window. What I do now? Note: Reason I logged as 'profesor' (teacher's account) is cmd is not disabled for this user

Hi, First: Sounds like your users must be local administrator (at least), logon with one of your student account and run whoami /groups, run RSoP. Second: Run RSoP and let we see the results. Mohammad Javad Bagdeli Are you reffering to student or teacher's accounts? No, they are not local administrators, at least they were not, and they shouldn't be. For specific needs of teachers I have created local administrator on their computers.