Re: Add domain admin back to local admin

From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 06/08/05 

Date: Wed, 8 Jun 2005 12:34:59 -0500

Well assuming the computer is still a member of the domain you could use a
Group Policy startup script with the net localgroup command but the best way
would probably be to use Group Policy Restricted Groups. There are two ways
to use Restricted Groups - with members or member of. If you specify members
then only the members you specify will be in the local administrators group.
If you use "member of" in Windows 2000 Service Pack 4 then group/users you
specify will become member of designated group. Be sure to try this at the
Organizational Until level only so as to not affect domain controllers and
domain administrators membership. I would create an OU with a GPO linked to
it with Restricted Groups configured and then move the computers into that
OU that you want to enforce Restricted Groups on. Then the next time the
Group Policy refreshes in those computers the Restricted Groups will apply
which may take up to two hours as the default Group Policy refresh interval
for a computer is 90 minutes with a 30 minute random offset. Rebooting the
computer should cause the policy to refreshed at computer startup. The links
below may help. --- Steve

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/gp/611.asp
http://support.microsoft.com/default.aspx?scid=kb;en-us;228496
http://support.microsoft.com/default.aspx?scid=kb;en-us;810076

"Robin Hood" <Robin Hood@discussions.microsoft.com> wrote in message
news:6F2ABE0A-013B-4F25-9A6E-993306AE9161@microsoft.com...
> How can I remotely, without the users knowledge, add the domain admin back
> to
> the local administrators group?
>
> Thanks

Relevant Pages

  • Re: Local Printer Access
    ... > You can force a user into a local group via group policy using restricted ... > Restricted Groups Policy Settings ... > Members and Member Of. ... > Stand-Alone Server Default Settings ...
    (microsoft.public.windows.server.active_directory)
  • Re: Power User Setting Not Saved
    ... included in the Restricted Group via this group is a member of. ... power users along with the specific user you added. ... Restricted Groups to speed up propagation of any changes first run gpupdate ... move it to an Organizational Unit that would not have that Group Policy ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Power User Setting Not Saved
    ... included in the Restricted Group via this group is a member of. ... power users along with the specific user you added. ... Restricted Groups to speed up propagation of any changes first run gpupdate ... move it to an Organizational Unit that would not have that Group Policy ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Power User Setting Not Saved
    ... There are two ways to do Restricted Groups - members of this group or this ... you use this group is a member of then the global group/uers you specify ... will be added to the power users group and the existing members will not be ... move it to an Organizational Unit that would not have that Group Policy ...
    (microsoft.public.windowsxp.security_admin)
  • Re: applying group policy
    ... I cannot get the settings for group policy to ... Machine or user must be a domain member and authenticate with the domain ... User or machine is not in the container to which the GPO is linked. ... Kerberos authentication may not work if user is a member of many groups: ...
    (microsoft.public.windows.server.active_directory)