Adding Groups to Local Administrator Remotely

From: Andy Damron (adamron_at_norfolk.gov)
Date: 10/15/03 

Date: Wed, 15 Oct 2003 05:26:45 -0700

I am a domain admin in our Windows 2000 server
environment. I have some users (that have local
administrative rights) that have removed the domain
admins from the local administrators group. This has
prevented me from performing several functions when
remotely administering these particular computers.

I have tried policies in AD, but they have all been
unsuccessful. I can't seem to find a way to bypass the
local security on these computers even though these
computers are part of the domain.

I would like to know if there is a way to remotely push
adding the domain admins group back into the local
administrators group on these computers.

Thanks

Relevant Pages

  • Re: Group Policy setting for restricting creation of local user accounts
    ... There is really no way to prohibit a Domain Admin from doing what ... if DA was not in each machine's local Administrators ... being able to create accounts on the computers. ... local computer user accounts when the computer is joined to the ...
    (microsoft.public.windows.group_policy)
  • Re: Trouble migrating couputers (ADMT v3)
    ... Logging on as the domain admin works in some cases, but in my experience, ... you'll still not be able to move some of the computers as the domain admin, ... Once the proper account is in the administrators group, ...
    (microsoft.public.windows.server.general)
  • Re: Remote Desktop Users and Least User Rights
    ... the Administrators group, the list of authorized remote users (My Computer ... Remote tab> Select Remote Users) gets wiped out. ... or you could create a simple startup script assigned via GPO to add them. ... You can create/link a new GPO at the appropriate OU where your computers ...
    (microsoft.public.windowsxp.security_admin)
  • RE: How to prevent some specific Domain Admin Accounts from creating U
    ... kamleshqwalani is incorrect - if you add a user to the Built-In Administrators group on a domain controller, that user becomes an administrator on all domain controllers in your domain, and by extension a Domain Admin. ... (kamleshqwalani is correct about local Administrator membership on workstations and member servers, ... So making a user a Domain Admin will automatically profer certain rights to domain-joined workstations and servers that BUILTIN\Administrators does not...but at the end of the day a member of BUILTIN\Administrators on a DC still has the effective rights of a Domain Admin, and so a determined user could figure out how to grant themselves whatever rights they don't have by default on workstations/member servers. ...
    (microsoft.public.windows.server.active_directory)
  • RE: Windows 2000 to Windows 2003 Upgrade!
    ... Admins group was removed from Local Administrators group. ... Windows 2000 to Windows 2003 Upgrade! ... my VBScript logon script will not run for this reason(Seems WMI ... if I am logged on as a domain admin I should be able to access ...
    (microsoft.public.windows.server.migration)