Re: Win 2003 Local Admin Problem

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

From: Dmitry Korolyov [MVP] (d__k_at_removethispart.mail.ru)
Date: 01/17/05 

Date: Tue, 18 Jan 2005 00:40:28 +0300

You can look at the following KB articles for detail about Restriced Groups
feature:

http://support.microsoft.com/default.aspx?scid=kb;en-us;279301
http://support.microsoft.com/default.aspx?scid=kb;en-us;228496
http://support.microsoft.com/default.aspx?scid=kb;en-us;320065

I also suggest that you perform changes in a test environment to make
yourself suitable with these features before rolling them out to production
environment. 

-- 
Dmitry Korolyov [d__k@removethispart.mail.ru]
MVP: Windows Server - Directory Services
"Fluffy_Ninja" <FluffyNinja@discussions.microsoft.com> wrote in message 
news:F9D9A1A6-3306-4D4C-8293-1A438C47D154@microsoft.com...
> Please could you describe the exact steps required to do this. I'm aware 
> that
> if I make a mistake I could strip out all local admin users.
>
> "Dmitry Korolyov [MVP]" wrote:
>
>> You can use Restricted Groups feature of the GP to add Domain Admins into
>> builtin Administrators group. Configure a GPO and apply it so it affects 
>> the
>> screwed computer account, then just reboot the computer.
>>
>> -- 
>> Dmitry Korolyov [d__k@removethispart.mail.ru]
>> MVP: Windows Server - Directory Services
>>
>>
>> "Fluffy_Ninja" <FluffyNinja@discussions.microsoft.com> wrote in message
>> news:F984C487-1760-4185-9919-A3E870BB2941@microsoft.com...
>> > Hello.
>> > On a 2003 member server in our domain, I made the mistake of removing 
>> > the
>> > Domain Admins group from the local administrators group on the server. 
>> > I
>> > also
>> > managed to get myself in a situation whereby all other local users that
>> > are
>> > in the  local administrator group have their accounts disabled. So I'm
>> > kind
>> > of in a catch 22 situation. I need to add Domain Admins group back in 
>> > to
>> > the
>> > local administrators group on the machine, but to do so I need to use a
>> > local
>> > administrator account and all of these are disabled. Is there any 
>> > possible
>> > way of fixing this? I have tried using the ntrights.exe utility, but 
>> > this
>> > fails with an error.
>> > Thanks
>> > Rob
>>
>>
>>

Relevant Pages

  • Re: Windows Server 2003 SP1 has no access to Active Directory
    ... already be part of the local administrators group ... > After having installed SP1 on a Windows Server 2003 we tried to add the ... > Domain Admins to the Local Administrator Group. ... Should we uninstall SP1? ...
    (microsoft.public.windows.server.setup)
  • Re: Win 2003 Local Admin Problem
    ... You should have defined a built-in Administrators group as a restricted ... I added the local administrators group on my PC. ... Windows Server - Directory Services ... >>>> You can use Restricted Groups feature of the GP to add Domain Admins ...
    (microsoft.public.windows.group_policy)
  • Re: Local Admin
    ... This posting is provided "AS IS" with no warranties, ... > the group that is your focus in the local Administrators group. ... > like the Domain Admins group to be a member of each and every WIN2000 and ... > you might want to include the Domain Admins group..... ...
    (microsoft.public.windows.server.active_directory)
  • Re: Administrator
    ... > the Local Administrators group a security risk? ... > Domain Admins available might be the only thing that saves you. ... > Sharepoint databases, right? ...
    (microsoft.public.sharepoint.portalserver)
  • Re: IPMSG.EXE
    ... permissions so that the Local Administrators Group (which includes the ... Domain Admins) has full access but the Local User Group (which contains the ... "Sanjeev" wrote in message ... > Some of the users on our compnay network have been found to be using IP ...
    (microsoft.public.security)