Re: User removed Domain Admins group

anonymous_at_discussions.microsoft.com
Date: 05/28/04 

Date: Thu, 27 May 2004 15:07:22 -0700

Thanks for that suggestion, it worked.

>-----Original Message-----
>Create an OU and then a GPO for that OU. Configure
restricted groups for the
>administrators group and add domain admins to it. Run
secedit /refreshpolicy
>machine_policy /enforce on that domain conroller. Move
that computer into
>that OU [before secedit refresh] . After next Group
Policy refresh the
>domain admins group should be the only group in the
local administrators
>group on that computer. That could take up to a couple
of hours or maybe
>more if site replication is involved. If someone could
reboot it for you
>that may speed things up. This all depends on that
computer still being a
>member of the domain with a working computer account.
You may then want to
>move that computer back to it's normal container and
then reconfigure the
>local administrators group to be as needed. --- Steve
>
>http://support.microsoft.com/default.aspx?scid=KB;EN-
US;Q320065
>http://support.microsoft.com/default.aspx?scid=kb;en-
us;228496
>http://msdn.microsoft.com/library/default.asp?
url=/library/en-us/gp/611.asp
>
>"mouser" <anonymous@discussions.microsoft.com> wrote in
message
>news:13d5301c4441a$f4a159f0$a101280a@phx.gbl...
>> I am a Domain Admin for our company, and
>> in our network, we have several external offices
>> throughout the world, and each user has a machine on
>> active directory that they use. We grant these users
local
>> machine admin rights to their PC.
>>
>> We are no longer able to access one PC because the user
>> has removed the Domain Admins group from the local
>> Adminstrators group on the machine. He also changed the
>> administrator password. We can still bring up computer
>> management and see the groups and users, but I can't
add
>> anything.
>>
>> Is there any way to get access to this machine again
>> without the use of any hacking tools?
>
>
>.
>

Relevant Pages

  • RE: software to control domain administrators
    ... "Does anyone know any software to control, audit, or restrict access or privileges to domain administrators." ... I will restate my mantra differently, If you can not trust someone to be in a position of complete un-adulterated control of your network, then they should not be in that position. ... >(assuming we are talking about NT/AD Domain Admins) ...
    (Security-Basics)
  • Re: script to list users and groups in domain admin and local admi
    ... >> Domain admins membership can be determined easily enough in Active ... >> using the net command and such to enumerate local administrators. ... If you want to use Restricted Groups ... >>>I am looking for a script or guidance to write a script that will list ...
    (microsoft.public.win2000.security)
  • Re: Restricted Groups Problem
    ... Just create a restricted group for administrators and assign Domain Admins ... I have since deleted the restricted groups setting in the ... > group on all XP machines as quickly as possible? ...
    (microsoft.public.win2000.group_policy)
  • Re: Settle a Administrators dispute
    ... Administrators Local Group on the DC but not in the Domain Admins ... Global Group, the users of the Global Group do not have the same ... restricted groups policy. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Local admin group?
    ... No don't remove the domain admins group from the administrators group for ... Create a global group of users to add the local administrators ... > for the purpose of updates but I don't want them to have admin rights on ...
    (microsoft.public.win2000.security)