Re: NT AUTHORITY/INTERACTIVE auto populating the admin group

Thanks for the input Torgier,

I am working with an image of an AD domain machine that I created and
deployed on another machine that I made a member of a workgroup. So neither
of these articles apply to the issue.

I think you’re on to something with the local script, but I checked the
logon and startup scripts in the local GPO, and both were blank.

Any other suggestions would be appreciated.

Thanks
-John




"Torgeir Bakken (MVP)" wrote:

> JohnB wrote:
>
> > I am running XP Pro SP1, and have a issue I need to resolve.
> >
> > Every time the machine boots, the NT AUTHORITY/INTERACTIVE account
> > is added to the admin group. If I remove the account and then reboot,
> > it auto populates the admin group at next boot.
> >
> > I am going to deploy this image to a number of machines, and do not
> > want the users to have admin access, and they will if this account
> > is in the admin group.
> >
> > Is there a registry setting, or a MMC snap in I can use to prevent
> > the account from being added to the admin group at each login?
> Hi
>
> I would think it is something in Active Directory that pushes out this,
> and you will then need to change it there.
>
> This adding of the account could come from a computer startup script or
> logon script (both triggered by a GPO), or it can be a Restricted Groups
> GPO.
>
>
> More about Restricted Groups enforced with Group Policy here:
>
> http://groups.google.com/groups?selm=uM5aZa1YDHA.440%40tk2msftngp13.phx.gbl
>
> and
>
> How to Configure a Global Group to Be a Member of the Administrators
> Group on all Workstations
> http://support.microsoft.com/default.aspx?scid=kb;en-us;320065
>
> Note that this will delete all existing members of the local group you
> apply this policy to.
>
>
> --
> torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
> Administration scripting examples and an ONLINE version of
> the 1328 page Scripting Guide:
> http://www.microsoft.com/technet/scriptcenter/default.mspx
>
.

Relevant Pages

  • Re: Membership...
    ... Administrators group in some computers contrain members with deleted domain ... account such as this: ... >> REMOTELY using vb script. ... >> following script can remove the member of the Administrators group if the ...
    (microsoft.public.scripting.vbscript)
  • Re: Membership...
    ... I would like to remove DOMAIN account from a LOCAL administrators group REMOTELY using vb script. ... The following script can remove the member of the Administrators group if the account is a LOCAL account to that computer. ... If the account is a DOMAIN account, I got the error with message: 'A member could not be added or removed from the local group because the member does not exist'. ...
    (microsoft.public.scripting.vbscript)
  • Re: User type
    ... Do I put the script, using gpedit.msc, on the domain or workstations. ... > If the computer is member of domain then you should use domain user ... Add this computer account to new domain group called e.g. ... > administrator and make your users local administrators. ...
    (microsoft.public.windows.server.setup)
  • Re: Membership...
    ... > Fan Fan wrote: ... >> REMOTELY using vb script. ... >> following script can remove the member of the Administrators group if the ... >> account is a LOCAL account to that computer. ...
    (microsoft.public.scripting.vbscript)
  • Add local user to admins group
    ... The script to add a local user to the admin group below is erroring on ... account exists and is created via another vbs script. ... Set objShell = createobject ...
    (microsoft.public.windows.server.scripting)