RE: domain admin rights keep changing on workstations

From: Salvador Manaois III <SalvadorManaoisIII@xxxxxxxxxxxxxxxxxxxxxxxxx>
Date: Wed, 22 Oct 2008 16:34:11 -0700

Have you ran RSoP and verified that no group policy setting is causing your
issue? My hunch is that there might be a "Restricted Groups" implementation
in your environment. Some links pertaining to this are listed below:

http://www.windowsecurity.com/articles/Using-Restricted-Groups.html
http://technet.microsoft.com/en-us/library/cc785631.aspx
http://technet.microsoft.com/en-us/library/cc756802.aspx

It could be that when the GPO containing this setting gets reapplied in the
next refresh cycle, the assigned rights (admin) you have manually made gets
overwritten.
--
Salvador Manaois III
MCSE MCSA CEH MCITP | Enterprise/Server Admin
Bytes & Badz : http://badzmanaois.blogspot.com

"Art" wrote:

I manage about 100 machines on my network and to allow SMS and Symantec to
function properly, we've added the domain admin accounts rights to the
machines as administrators to the local PCs.

After a short while - about just over 1 day, that account will drop to
either "Offer Remote Assistance Helpers". How do I keep it from changing
from Administrator?

I did not see anything in the GPO's to create this setting? After
searching these newsgroups, I did see a script that I could run in VBScript
to add the account everytime they login? What is a good solution that would
keep the domain account permenatly set to administrator for the local
computer? The computers, for now, are all running Windows XP Pro.

Heres' the script that I found in these news groups incase you are wondering:
net localgroup administrators DOMAIN\domainadmin /add
net localgroup power users ....
net localgroup remote desktop users ...

Thanks in advance!

Follow-Ups:
- RE: domain admin rights keep changing on workstations
  - From: Art

References:
- domain admin rights keep changing on workstations
  - From: Art

Prev by Date: RE: Error in Event Viewer Security should i worry?
Next by Date: Missing validation input cell.
Previous by thread: domain admin rights keep changing on workstations
Next by thread: RE: domain admin rights keep changing on workstations
Index(es):
- Date
- Thread

Relevant Pages

Re: Rid AD of Circular Group Membership
... I'll try to keep this going; because it might be useful to another admin ... The quess is each has an account and uses it, ... part of stations) into the machine local Administrators group. ... Administrators Group has a members: ...
(microsoft.public.windows.group_policy)
Re: Security Breach in AD! Help!
... For the domain check the membership of the administrators group, ... on every user account in any of those ... success and failure in Domain Controller Security Policy. ... admin credentials on. ...
(microsoft.public.win2000.security)
Re: Rid AD of Circular Group Membership
... under assumption everyone is admin all ways. ... The quess is each has an account and uses it, ... part of stations) into the machine local Administrators group. ... Craft in the empowerments with the group design elected, ...
(microsoft.public.windows.group_policy)
Re: Bad XP problem
... no way he can re-create the account that owns them. ... OTOH, the files probably *are* readable by administrators, so your advice is ... >> This has to do with a lost admin password in XP. ... The PC won't boot, it ...
(sci.electronics.repair)
Re: Trouble with admin access after creating trust.
... Situation still exists - on the 2000 domain, I log on with an account ... from the 2003 domain yet I recieve no admin permissions. ... domain group called Administrators, which is a local built in group. ... into the 2000 local administrator group, but when I log on the 2000 ...
(microsoft.public.windows.server.active_directory)