Re: Can't remove user from administrator group

From: Roger Abell [MVP] (mvpNoSpam_at_asu.edu)
Date: 11/12/05

• Next message: Jim Fischer: "Re: Create restricted user account, 2003 server AD domain"
• Previous message: Spin: "Re: To automatically download and install ActiveX controls"
• In reply to: Steven L Umbach: "Re: Can't remove user from administrator group"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Fri, 11 Nov 2005 23:24:27 -0700

try lusrmgr instead of usrmgr (if I am remembering NT4 correctly)
or, on the NT4 member use
net localgroup administrators <username> /delete
where <username> is name of a member local account or is
domain qualified, domain\username, if a domain account

However, why not just disable and eventually delete the old
account ?? and the new person should be using their own
new account that has the privileges

-- 
Roger Abell
Microsoft MVP (Windows Server : Security)
MCDBA,  MCSE W2k3+W2k+Nt4
"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message 
news:uVqBTIu5FHA.1416@TK2MSFTNGP09.phx.gbl...
>I don't have a NT4.0 computer to play with right now but here is what I 
>would do. Run the command net localgroup administrators on that server to 
>see if it shows the membership of the local administrators group and to 
>make sure that you are indeed logged on as a local administrator - 
>preferably a local user account. Then use the command net localgroup 
>administrators username /delete to see if that works or not or gives some 
>sort of an error message.  I the user is a domain user then add the 
>domainame to the front of the users name as in domainname\username.  I 
>would also look in the system/application/security logs to see if anything 
>is reported there that may provide a clue.
>
> If worse comes to worse you could rename the old sam file, then delete it 
> and reboot the computer. This will create a new sam file that includes 
> ONLY built in groups/users and the administrator password would be blank. 
> You would have to do that from outside the operating system by placing the 
> hard drive in another computer as a secondary/slave or such. --- Steve
>
>
> "Ken Long" <kenl@despammed.com> wrote in message 
> news:tta9n1htvfhq635ic9h57pc8jbciqso3hs@4ax.com...
>> I'm having trouble removing a user from the local administrator group
>> on an older NT4 server. This server is a member server in our company
>> domain. The primary logon server is running Windows Server 2003 but
>> this member server is an old NT4 Server that had been demoted from PDC
>> during a recent upgrade.
>>
>> In the past, I had to find a way to allow this user to log onto the
>> server console and run a utility when I wasn't around. After playing
>> with it for a few months, I had to finally add her to the local
>> administrator group or it just didn't work. This wasn't a problem so I
>> did it. Now that task has fallen onto the shoulders of someone else so
>> I need to remove the old user from the administrator group. Here are
>> the steps I'm doing:
>>
>> 1. Open User Manager for Domains on the NT4 member server.
>>
>> 2. Change the domain to the local server name so I'm working on the
>> local server only. (User, Select Domain...)
>>
>> 3. Open the Administrator group and remove the user from the group.
>>
>> 4. Close User Manager and re-open. The user is back in the group as if
>> I had never removed her.
>>
>> I've checked to be sure she doesn't have some extra rights on the
>> Primary Logon Server but all is normal there. I suspect this might be
>> an unwanted side-effect from the demotion from PDC during the upgrade.
>> The account that keeps reappearing in the administrator group appears
>> to be a local user account, not a domain account, ie, it's shown as
>> simply username rather than Domain\username.
>>
>> All thoughts welcome.
>>
>> Ken Long
>> Albuquerque, NM
>> (Reply address works as is.)
>
> 

---

• Next message: Jim Fischer: "Re: Create restricted user account, 2003 server AD domain"
• Previous message: Spin: "Re: To automatically download and install ActiveX controls"
• In reply to: Steven L Umbach: "Re: Can't remove user from administrator group"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Setting a password on an AD account... ... I assume it's running in a restricted account right? ... You don't use SSL to bind, and as this runs from a server which is not a domain member (a ... this one fails when the current user is not an administrator on the DC. ... (microsoft.public.dotnet.languages.csharp) RE: Administrator Logon failure ... you have no problem logging on to the server via a Remote Desktop ... The account you use is a member of Domain Power Users or Remote Operators ... By default in SBS Local Security Policy, SBS Remote Operators ... Remove these groups from administrator via a TS session. ... (microsoft.public.windows.server.sbs) Re: I shot my foot off almost and the Admin cant log into the server locally ... server. ... Keep a backup administrator id around. ... > By default the Administrator should be a member of these groups: ... > Administrators, Domain Admins, Domain Users, Enterprise Admins, Group ... (microsoft.public.windows.server.sbs) Re: Which permissions does domain administrators have on member se ... Domain Admins are members of the local administrators group. ... When I logon via TS to the member server as domain administrator, ... (microsoft.public.windows.server.sbs) RE: Cant set Local Security policies. They fail to save ... I followed your instructions on applying the predefined security templates. ... I still can’t set any of the local security policies on the server box. ... > using local Administrator account to test, ... >>> member of either the Remote Operators group or the Domain Power Users ... (microsoft.public.windows.server.sbs)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(15)