Re: XP client - Admin Rights

From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 07/30/04 

Date: Thu, 29 Jul 2004 19:59:55 -0700

So you are saying that the machine is a healthy member of
the domain, but you have no admin account that can be used
on it ?

That implies that you have no way of seeing what accounts
currently have machine local Administrators group membership.
and also that you have no way to map the admin shares.

So, the following is (only slightly) risky, as will be pointed out.
You can define a temp OU in your AD, and move the machine
into this OU. This OU is best placed as a sub-OU at the location
where the machine object presently resides in order for the machine
to continue to receive all current GPOs.
Now, define a new GPO and link it to this new OU.
In the new GPO define a Restricted Group naming it Administrators,
and in the definition of this restricted group add Domain Admins and
type in <some name>. Also in this GPO in the local settings security
options find the policy to rename Administrator and rename it to this
same <some name> - using an account name of your choice. This is
needed as if you used Administrator in the Restricted Group, but the
account had been renamed and does not exist by that name . . .

Now, if the machine had some service with a special account that was
an admin, this will break that while this temp setup is in effect.
That is your risk.

With that all in place, reboot the machine, and then log in with a Domain
Admin account. Once in, change the password to something known on
the <some name> built-in Administrator account. Next remove the
GPO and force the machine to refresh its policy, and then check and
make sure that Domain Admins is a member of the local Administrators. 

-- 
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCSE (W2k3,W2k,Nt4)  MCDBA
"Terry" <yoo_hoo_2000@REMOVETHISntlworld.com> wrote in message
news:e1SANFcdEHA.1000@TK2MSFTNGP12.phx.gbl...
> I need to apply admin rights for a user on an XP client. The problem is
that
> the user is a member of administrators on the server, but a limited user
on
> the XP client. It would also appear that I have made things difiicult for
> myself as I no longer have any AD users that can login as an administrator
> (domain.administrator) on the client and can't find a way back to logging
on
> with the local administrator (machine.administrator) account. I can see
the
> profiles on the client.
>
> Any help please?
>
> regards
>
>

Relevant Pages

  • Re: Keep admins off of client machines
    ... the sharepoint admin is simple, just create a standard user account for them ... The 'Domain Administrator' account is ... Domain Administrator password. ... takes a thorough understanding of such priveleges to do so. ...
    (microsoft.public.windows.server.sbs)
  • Re: firewall on budget ?
    ... 1)Work in Admin mode, and through 'run as', browse ... If working in admin mode and doing runas to browse in a guest account. ... Installing a program, getting an error, then doing the run as, can be ... running as administrator all the time. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Admin Priveleges Not Working
    ... The Admin account hasn't ... changed - it is the only member of the administrator ... >> domain admin to do any of the admin tasks. ...
    (microsoft.public.backoffice.smallbiz2000)
  • Re: Login as local admin
    ... So if i basically ensure that my domain administrator account is a member of ... the schema admins, and enterprise admins, and login using these credentials, ... The article does not reference "local" administrator (as far as I ... If you choose to use an account other than the built-in administrator ...
    (microsoft.public.windows.server.sbs)
  • Re: XP (SP2) user passwords
    ... Safe Mode requires an administrator to log on the machine. ... I always suggest checking who has Admin accounts, ... administrator account, which normally does not appear, and in SP2, I don't ...
    (microsoft.public.windows.mediacenter)
Loading