Re: Adding Groups to Local Administrator Remotely

From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 10/15/03

Next message: mentesalertas_at_hotmail.com: "IIS"
Previous message: Todd: "Updated "Kill.exe"?"
In reply to: Andy Damron: "Adding Groups to Local Administrator Remotely"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 15 Oct 2003 07:22:45 -0700

Restricted groups in GPO applied to machines can
take complete control over the local Administrators
group membership. If UserA is to also be admin on
MachineA, UserB on MachineB, etc. then use of the
Restricted Groups capability is problematic. In this
case you could use a Startup script to do such as
net localgroup Administrators "domname\Domain Admins" /Add
but the local admin could then remove this as soon as
they log in.
If you now have no admin account on some machine
then there is no direct way to exercise admin powers
there to do such things as adjusting group memberships,
other than what was already mentioned, or similar (push an
install that includes adjustment of membership, for example).

-- 
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCSE (W2k3,W2k,Nt4)  MCDBA
"Andy Damron" <adamron@norfolk.gov> wrote in message
news:0f2c01c39317$98da2570$a101280a@phx.gbl...
> I am a domain admin in our Windows 2000 server
> environment.  I have some users (that have local
> administrative rights) that have removed the domain
> admins from the local administrators group.  This has
> prevented me from performing several functions when
> remotely administering these particular computers.
>
> I have tried policies in AD, but they have all been
> unsuccessful.  I can't seem to find a way to bypass the
> local security on these computers even though these
> computers are part of the domain.
>
> I would like to know if there is a way to remotely push
> adding the domain admins group back into the local
> administrators group on these computers.
>
> Thanks

Next message: mentesalertas_at_hotmail.com: "IIS"
Previous message: Todd: "Updated "Kill.exe"?"
In reply to: Andy Damron: "Adding Groups to Local Administrator Remotely"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Keep admins off of client machines
... something other than Domain Admin rights. ... and then you have a level I'll call the Data Administrators. ... manage your Domain if you intend for them to not have full control. ... > access to various machines, so we can't rely on inventorying profiles. ...
(microsoft.public.windows.server.sbs)
Re: Adding local users from domain as local PC admin(?)
... These machines are XP, joined to a domain. ... As I suggest in the subject, is there a way to ...add local users from ... adding the User object to 'Grading-Machine Admin' group. ... Open "Administrators", choose add and then you can search for the ...
(microsoft.public.windows.server.active_directory)
Re: New Organizational Unit for a new remote office.
... This posting is provided "AS IS" with no warranties, and confers no rights. ... BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx ... EVERY DOMAIN ADMIN IN THE FOREST ...
(microsoft.public.win2000.active_directory)
Re: Rid AD of Circular Group Membership
... I'll try to keep this going; because it might be useful to another admin ... The quess is each has an account and uses it, ... part of stations) into the machine local Administrators group. ... Administrators Group has a members: ...
(microsoft.public.windows.group_policy)
Re: MMC - admin locked out too
... just use the Deny trick to exempt ... from an admin account before it can edit policy, ... > Limit access to Regedit, MMC, command line, etc. & ... > restrict such items to Administrators only. ...
(microsoft.public.windowsxp.security_admin)