Re: Missing Group for local admin group

From: Roger Abell [MVP] (mvpNoSpam_at_asu.edu)
Date: 10/22/05

  • Next message: Steven L Umbach: "Re: Missing Group for local admin group" 
    Date: Fri, 21 Oct 2005 23:08:34 -0700

    Doh - good addition Steve.
    I am not sure where the blinders came from that kept
    machine startup/shutdown scripts from being mentioned !!

    Thx,
    Roger

    "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
    news:eojH$Am1FHA.2348@TK2MSFTNGP15.phx.gbl...
    >I would suspect that Restricted Groups is being implemented as others have
    >said. Another thing to do is to impellent auditing of account management on
    >those workstations in local [or otherwise appropriate] security policy.
    >Then look in the security log for events that indicate a change in
    >membership of the administrators group which would indicate the user that
    >did it and the time. If the user is system then it is most likely done by
    >Restricted Groups or a startup script. Also try adding the group to the
    >local administrators group, and then run the command secedit/ refreshpolicy
    >machine_policy enforce on that workstation. Check the membership of the
    >administrators group again. If your group was removed then almost certainly
    >it is Group Policy Restricted Groups. You can use the support tool gpresult
    >to see what Group Policies are being applied to the "computer" and one of
    >them would be implementing Restricted Groups. The link below may be helpful
    >as it explains the use of Restricted Groups. --- Steve
    >
    > http://www.windowsecurity.com/articles/Using-Restricted-Groups.html
    >
    > <nsunny66@hotmail.com> wrote in message
    > news:1129646075.544150.309900@o13g2000cwo.googlegroups.com...
    >> Hi there
    >> This is driving me nuts. I am trying to figure out what is going on.
    >> I have a windows 2000 Active Directory, I have a group on the AD called
    >> SQL. I added the SQL group on to the local admin group on a couple of
    >> workstations (the workstations are on the same domain). The addition of
    >> the group is successful. The next day when i check the local admin
    >> group on the workstations, it is missing.
    >> Please Advice !!!!!
    >> Thanks
    >>
    >
    >

  • Next message: Steven L Umbach: "Re: Missing Group for local admin group"

    Relevant Pages

    • Re: Missing Group for local admin group
      ... those workstations in local security policy. ... If the user is system then it is most likely done by Restricted Groups ... Also try adding the group to the local administrators ... The next day when i check the local admin ...
      (microsoft.public.win2000.security)
    • Re: Administrators Group in Local Users and Groups
      ... I had it set up right, it just took a while to get out to the workstations. ... > right click on restricted groups and select new group (For the local ... this group name should be - administrators) and key in the ... Select add on the Members of this group and then ...
      (microsoft.public.windows.server.active_directory)
    • Re: User permission on local computer
      ... You can use the Restricted Groups polcy to push it out to the workstations, ... but I would warn against it as that policy does not 'add' users/groups to the ... admin group on the workstation, it replaces the contents of the admin group ...
      (microsoft.public.windows.server.active_directory)
    • Re: help with use of restricted groups and individual rights assigment
      ... > accounts to admin group on the workstations. ... > that by also using the same restricted group to grant user groups ... > How do i continue using GPO restricted groups but separately grant ...
      (microsoft.public.win2000.group_policy)