Re: Missing Group for local admin group

From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 10/21/05 

Date: Fri, 21 Oct 2005 11:54:44 -0500

I would suspect that Restricted Groups is being implemented as others have
said. Another thing to do is to impellent auditing of account management on
those workstations in local [or otherwise appropriate] security policy. Then
look in the security log for events that indicate a change in membership of
the administrators group which would indicate the user that did it and the
time. If the user is system then it is most likely done by Restricted Groups
or a startup script. Also try adding the group to the local administrators
group, and then run the command secedit/ refreshpolicy machine_policy
enforce on that workstation. Check the membership of the administrators
group again. If your group was removed then almost certainly it is Group
Policy Restricted Groups. You can use the support tool gpresult to see what
Group Policies are being applied to the "computer" and one of them would be
implementing Restricted Groups. The link below may be helpful as it explains
the use of Restricted Groups. --- Steve

http://www.windowsecurity.com/articles/Using-Restricted-Groups.html

<nsunny66@hotmail.com> wrote in message
news:1129646075.544150.309900@o13g2000cwo.googlegroups.com...
> Hi there
> This is driving me nuts. I am trying to figure out what is going on.
> I have a windows 2000 Active Directory, I have a group on the AD called
> SQL. I added the SQL group on to the local admin group on a couple of
> workstations (the workstations are on the same domain). The addition of
> the group is successful. The next day when i check the local admin
> group on the workstations, it is missing.
> Please Advice !!!!!
> Thanks
>

Relevant Pages

  • Re: Missing Group for local admin group
    ... Doh - good addition Steve. ... machine startup/shutdown scripts from being mentioned!! ... >I would suspect that Restricted Groups is being implemented as others have ... >> workstations. ...
    (microsoft.public.win2000.security)
  • Re: Administrators Group in Local Users and Groups
    ... I had it set up right, it just took a while to get out to the workstations. ... > right click on restricted groups and select new group (For the local ... this group name should be - administrators) and key in the ... Select add on the Members of this group and then ...
    (microsoft.public.windows.server.active_directory)
  • Re: Local admin through group policy and keep admin on local machine?
    ... startup scripts vs. restricted groups and use the GPO to enforce the startup ... administrators vs. making it the only group. ... and give them local admin on all the OU PCs). ...
    (microsoft.public.windows.server.active_directory)
  • Re: User permission on local computer
    ... You can use the Restricted Groups polcy to push it out to the workstations, ... but I would warn against it as that policy does not 'add' users/groups to the ... admin group on the workstation, it replaces the contents of the admin group ...
    (microsoft.public.windows.server.active_directory)
  • Re: help with use of restricted groups and individual rights assigment
    ... > accounts to admin group on the workstations. ... > that by also using the same restricted group to grant user groups ... > How do i continue using GPO restricted groups but separately grant ...
    (microsoft.public.win2000.group_policy)