Re: Ensuring Domain Admins is always in the Local Admins group

From: Nick Finco [MS] (nfinco@online.microsoft.com)
Date: 03/20/03

Next message: Ed Thurber: "Re: How do I allow USB accessibility to W2K Restricted user?"
Previous message: Keith W. McCammon: "***MS03-007 FAQ @ WWW.NTBUGTRAQ.COM***"
In reply to: Rowan Smith: "Ensuring Domain Admins is always in the Local Admins group"
Next in thread: mark: "Re: Ensuring Domain Admins is always in the Local Admins group"
Reply: mark: "Re: Ensuring Domain Admins is always in the Local Admins group"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: "Nick Finco [MS]" <nfinco@online.microsoft.com>
Date: Thu, 20 Mar 2003 11:40:42 -0800

This behaviour modification to the Security Option Restricted Groups
Memberof setting would give you the desired functionality.

http://support.microsoft.com/default.aspx?scid=kb;en-us;810076

-- 
This posting is provided "AS IS" with no warranties, and confers no rights.
"Rowan Smith" <usenet@microsoft.com> wrote in message
news:u05A5Zt7CHA.1740@TK2MSFTNGP12.phx.gbl...
> Is there a way to use a group policy to ensure that the Domain Admins
group
> is always in the Local Admins group of every computer in a domain?
>
> We run a fairly loose shop, with multiple divisions each doing there own
> thing and one of those things is typically to remove domain admins from
the
> local admins groups.  this is frequently a royal pain in the a...
>
> I am looking for a way to have the domain admins added back into the Local
> Admins group - the restricted groups policy dosn't acheive this because it
> replaces everything in the local admins with what is in the restricted
> group, I simply want to add if it dosn't exist.
>
> Any ideas?
>
> Thanks.
>
> -Rowan
>
>

Next message: Ed Thurber: "Re: How do I allow USB accessibility to W2K Restricted user?"
Previous message: Keith W. McCammon: "***MS03-007 FAQ @ WWW.NTBUGTRAQ.COM***"
In reply to: Rowan Smith: "Ensuring Domain Admins is always in the Local Admins group"
Next in thread: mark: "Re: Ensuring Domain Admins is always in the Local Admins group"
Reply: mark: "Re: Ensuring Domain Admins is always in the Local Admins group"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: domain user with local admin right
... admin and you are correct on choosing Restricted Groups to implement it. ... with the exception on the domain admins group. ... some users who are local admins on machines and for some reason they feel ...
(microsoft.public.windows.server.active_directory)
Re: Enable non-admin users to access member servers or client PC
... the client machines they probably will require to be local admins (Not ... In order to modify server folder permissions the group needs to be ... groups like Domain Admins, Administrators, etc. ...
(microsoft.public.windows.server.active_directory)
Re: Domain Admin?
... If you want them to be local admins so they can perform maintenance than you should consider using restricted groups: ... Create the gpo in the ou where the Computers reside, go to computer configuration/windows settings/security settings/restricted groups, right click on restricted groups and select new group and key in the group you want auto populated. ... We have some users who are local admins on machines and for some reason they feel compelled to remove the domain admins from their local administrators group. ...
(microsoft.public.windows.server.active_directory)
Re: users removing Domain Admin from local admin group
... You can't set the machine up so local admins can't modify the local ... administrators group. ... If the corporate policy is that domain admins are to be listed in the ...
(microsoft.public.win2000.security)
Re: local admin issues
... Restricted groups via GPO is the best way to control the local admins. ... Is there a way to prevent domain admins to be removed from the local ...
(microsoft.public.windows.server.active_directory)