Re: Smart user removing domain admin group from local admin group
From: ptwilliams (ptw2001_at_hotmail.com)
Date: 06/29/04
- Next message: ptwilliams: "Re: Changing Admin Password"
- Previous message: ptwilliams: "Re: FRS not logging anything"
- In reply to: Chriss3: "Re: Smart user removing domain admin group from local admin group"
- Messages sorted by: [ date ] [ thread ]
Date: Tue, 29 Jun 2004 23:41:45 +0100
I have to chip in here. Chris' solution is the solution to take, however,
GPO processing does occur every 90 mins by default, but once it has applied
will not apply again unless the GPO is changed. Therefore, if the users
change the group membership after GPO application, it will not get changed
again until foreground processing occurs - a logon (or reboot) or secedit
/refreshpolicy machine_policy /enforce (unless you've set the security
client side extension to process every time regardless of change).
-- Paul Williams _________________________________________ http://www.msresource.net Join us in our new forums! http://forums.msresource.net _________________________________________ "Chriss3" <noSpamHere@chrisse.se> wrote in message news:%23kGicnhXEHA.1128@TK2MSFTNGP10.phx.gbl... Hello Jody. You may not should give them local administrator rights if they not are trusted, the article below shows how you can link the domain admins group to the local admin group, the membership will refresh every time the GPO is re-applied I think, it's every 90min by default. Restricted groups with in a Group Policy allow to map membership http://www.chrisse.se/MAQB.asp?ID=29 -- Regards Christoffer Andersson No email replies please - reply in the newsgroup ------------------------------------------------ http://www.chrisse.se - Active Directory Tips "Jody Riding" <jriding@fishnetsecurity.com> skrev i meddelandet news:2314901c45e01$e21742d0$a501280a@phx.gbl... > I have a couple of "smart" users that are removing the > Domain administrator group from the local admin group on > their pc. This is creating serious issues with trying to > administrate the environment. I remember from an old job I > had where there was a script that was put into Active > Directory that would force / readd the domain admin group > to the local admin group. The script would force this do to > the fact of connection and login to AD. This force was not > account linked but forced do to being in the login script > section of AD. If anyone has any ideas on this it would be > greatly appriciated. > > Please feel free to email me as well. > > J Riding
- Next message: ptwilliams: "Re: Changing Admin Password"
- Previous message: ptwilliams: "Re: FRS not logging anything"
- In reply to: Chriss3: "Re: Smart user removing domain admin group from local admin group"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
