Re: User removed Domain Admins group

From: Steven L Umbach (sumbach_at_N0spam.ameritech.net)
Date: 05/27/04 

Date: Thu, 27 May 2004 16:08:17 -0500

Create an OU and then a GPO for that OU. Configure restricted groups for the
administrators group and add domain admins to it. Run secedit /refreshpolicy
machine_policy /enforce on that domain conroller. Move that computer into
that OU [before secedit refresh] . After next Group Policy refresh the
domain admins group should be the only group in the local administrators
group on that computer. That could take up to a couple of hours or maybe
more if site replication is involved. If someone could reboot it for you
that may speed things up. This all depends on that computer still being a
member of the domain with a working computer account. You may then want to
move that computer back to it's normal container and then reconfigure the
local administrators group to be as needed. --- Steve

http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q320065
http://support.microsoft.com/default.aspx?scid=kb;en-us;228496
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/gp/611.asp

"mouser" <anonymous@discussions.microsoft.com> wrote in message
news:13d5301c4441a$f4a159f0$a101280a@phx.gbl...
> I am a Domain Admin for our company, and
> in our network, we have several external offices
> throughout the world, and each user has a machine on
> active directory that they use. We grant these users local
> machine admin rights to their PC.
>
> We are no longer able to access one PC because the user
> has removed the Domain Admins group from the local
> Adminstrators group on the machine. He also changed the
> administrator password. We can still bring up computer
> management and see the groups and users, but I can't add
> anything.
>
> Is there any way to get access to this machine again
> without the use of any hacking tools?

Relevant Pages

  • Re: Win 2003 Local Admin Problem
    ... you indicated that you have removed Domain Admins ... Using RG feature in a ... > in the local Administrators group on every machine. ... > because some machines have individual users added as local administrators. ...
    (microsoft.public.windows.group_policy)
  • Re: Listing user privileges
    ... So the service works is Domain Admin, running on a member, ... Domain Admins group resolves the issue, and I'm suspecting (but not yet ... confirmed) that being a member of the Administrators group for the domain ... are the privilege differences between those two groups, ...
    (microsoft.public.windows.server.security)
  • Re: XP Default user profile vs 2000
    ... Domain Admins group but only the domain-level Administrators group. ... User profile on the W2K domain. ... the same admin rights that I have on the domain would automatically override ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Listing user privileges
    ... that Domain Admins (therefore AD controller ... Administrators group) has no advanced privileges on a member server other ...
    (microsoft.public.windows.server.security)
  • Re: Listing user privileges
    ... Administrators group of domain is used only on the DCs. ... Domain Admins is member in Administrators group of each ... Administrators group) has no advanced privileges on a member server other ...
    (microsoft.public.windows.server.security)