Re: Local admin accounts gone haywire

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

Howdy Frisk!

Frisk wrote:
After forcing a gp update this seemed to work, all techs automatically
have local admin privileges on any workstation they logged onto, but
after a little analysis, i decided this was a little unsafe and removed
the restrictive group.

Okay.

When i log on as the domain administrator on any workstation, i no
longer have local administrative rights on that machine, unless i
rejoin the workstation to the domain, and i dont really want to have to
do that with 200+ machines when i've done it already.

That's clear. See: The Restricted Groups feature doesn't _add_ the users to the admins group, it _replaces_ the users located in that group. In simple words: you replaced yourself and the local administrators of the machines by the tech-group as admins.

Also, the tech group still always have local admin privileges on
workstations (even workstations they've never logged onto before) even
though non are members of any administrator group and i removed the
restrictive groups policy.

After you removed the Restricted Group-policy, the tech-users still belong to the admins group because no one took them out. You would manually have to take them out.


Can anyone help me understand whats going on? I really dont want to
have to rebuild, and i used to feel that i understood win2000
networking pretty well but this has just stumpt me.

The easiest solution would be: add a new Restricted Groups policy and let domain-admins have administrator rights on the local machines. Don't forget to explicitly add the local admins to the administrators group. After applying the GP, the tech-users will automatically drop out...

cheers,

Florian
--
Nachwuschsadmin aus dem Süddeutschen/Germany.
eMail: Vorname [bei] frickelsoft [Punkt] net.
.

Relevant Pages

  • Re: Local Admin Rights Dissapearing and Admin being rejected
    ... All the machines on ... >> administrators. ... Domain\OU\Site admins ... >have used a Group Policy to specify the membership of the ...
    (microsoft.public.windows.server.sbs)
  • Re: Question on XP network security
    ... necessary privileges on his/her own workstation, ... > I'm not sure whether you meant adding each and every user account to ... > that it gives every user full access to all other machines ACROSS ... > I was hoping to hear from other administrators what approach they ...
    (microsoft.public.windowsxp.security_admin)
  • Re: User rights assigned via Restricted Groups not working entirel
    ... There are still groups I want to have in the admin group for every workstation. ... If you want to do it locally, you just add people to the local admins ... Restricted Group membership for "Administrators" and added a group ... we manually create a local group called "LocAd." ...
    (microsoft.public.windows.group_policy)
  • RE: Automating Local Computer Admin Rights
    ... groups the first box that pops up add administrators. ... add domain admins because they are there by deafult and add adminstrators. ... gpo settings will not tricly down or inherit the settings just from a child ... members of the administrators group on the local machine. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Domain Administrator privs on Client
    ... It is fairly normal to restrict admin access to SQL Server to only ... Domain Admins is added to a machine's Administrators ... I have an SQL server on my domain, I have to login as the local sql ...
    (microsoft.public.windows.group_policy)