Re: Win 2003 Local Admin Problem

From: Dmitry Korolyov [MVP] (d__k_at_removethispart.mail.ru)
Date: 01/18/05

Next message: Fluffy_Ninja: "Re: Win 2003 Local Admin Problem"
Previous message: Gaz Chell: "Re: One users Folder not redirecting"
In reply to: Fluffy_Ninja: "Re: Win 2003 Local Admin Problem"
Next in thread: Fluffy_Ninja: "Re: Win 2003 Local Admin Problem"
Reply: Fluffy_Ninja: "Re: Win 2003 Local Admin Problem"
Messages sorted by: [ date ] [ thread ]

Date: Tue, 18 Jan 2005 16:06:27 +0300

You should have defined a built-in Administrators group as a restricted
group, and define its membership to include Domain Admins group, for
example.

-- 
Dmitry Korolyov [d__k@removethispart.mail.ru]
MVP: Windows Server - Directory Services
"Fluffy_Ninja" <FluffyNinja@discussions.microsoft.com> wrote in message 
news:AE08FB64-6D7F-43A5-899E-5FD75D75F4CC@microsoft.com...
> Hi Dmitry
>
> Following this advice, it is only partially successful. I created a test 
> OU
> and a test GPO applied to that OU. On my PC using Group Policy Management
> Console, I created a restricted group called Wrkstn_Admins and in the 
> Member
> Of list, I added the local administrators group on my PC. This should add 
> the
> domain group Wrkstn_Admins to the local adminsitrators group on all 
> computers
> in my OU. I added my computer and one other to my OU and I ran gpupdate
> /force on both machines. On my PC, the update was successful, but on the
> other PC there was no effect.
>
> Please can you advise why this worked on my PC and not on the other one?
>
> Many Thanks, Rob
>
> "Dmitry Korolyov [MVP]" wrote:
>
>> You can look at the following KB articles for detail about Restriced 
>> Groups
>> feature:
>>
>> http://support.microsoft.com/default.aspx?scid=kb;en-us;279301
>> http://support.microsoft.com/default.aspx?scid=kb;en-us;228496
>> http://support.microsoft.com/default.aspx?scid=kb;en-us;320065
>>
>> I also suggest that you perform changes in a test environment to make
>> yourself suitable with these features before rolling them out to 
>> production
>> environment.
>>
>> -- 
>> Dmitry Korolyov [d__k@removethispart.mail.ru]
>> MVP: Windows Server - Directory Services
>>
>>
>> "Fluffy_Ninja" <FluffyNinja@discussions.microsoft.com> wrote in message
>> news:F9D9A1A6-3306-4D4C-8293-1A438C47D154@microsoft.com...
>> > Please could you describe the exact steps required to do this. I'm 
>> > aware
>> > that
>> > if I make a mistake I could strip out all local admin users.
>> >
>> > "Dmitry Korolyov [MVP]" wrote:
>> >
>> >> You can use Restricted Groups feature of the GP to add Domain Admins 
>> >> into
>> >> builtin Administrators group. Configure a GPO and apply it so it 
>> >> affects
>> >> the
>> >> screwed computer account, then just reboot the computer.
>> >>
>> >> -- 
>> >> Dmitry Korolyov [d__k@removethispart.mail.ru]
>> >> MVP: Windows Server - Directory Services
>> >>
>> >>
>> >> "Fluffy_Ninja" <FluffyNinja@discussions.microsoft.com> wrote in 
>> >> message
>> >> news:F984C487-1760-4185-9919-A3E870BB2941@microsoft.com...
>> >> > Hello.
>> >> > On a 2003 member server in our domain, I made the mistake of 
>> >> > removing
>> >> > the
>> >> > Domain Admins group from the local administrators group on the 
>> >> > server.
>> >> > I
>> >> > also
>> >> > managed to get myself in a situation whereby all other local users 
>> >> > that
>> >> > are
>> >> > in the  local administrator group have their accounts disabled. So 
>> >> > I'm
>> >> > kind
>> >> > of in a catch 22 situation. I need to add Domain Admins group back 
>> >> > in
>> >> > to
>> >> > the
>> >> > local administrators group on the machine, but to do so I need to 
>> >> > use a
>> >> > local
>> >> > administrator account and all of these are disabled. Is there any
>> >> > possible
>> >> > way of fixing this? I have tried using the ntrights.exe utility, but
>> >> > this
>> >> > fails with an error.
>> >> > Thanks
>> >> > Rob
>> >>
>> >>
>> >>
>>
>>
>>

Next message: Fluffy_Ninja: "Re: Win 2003 Local Admin Problem"
Previous message: Gaz Chell: "Re: One users Folder not redirecting"
In reply to: Fluffy_Ninja: "Re: Win 2003 Local Admin Problem"
Next in thread: Fluffy_Ninja: "Re: Win 2003 Local Admin Problem"
Reply: Fluffy_Ninja: "Re: Win 2003 Local Admin Problem"
Messages sorted by: [ date ] [ thread ]

Relevant Pages

Re: Win 2003 Local Admin Problem
... >> You can use Restricted Groups feature of the GP to add Domain Admins into ... Windows Server - Directory Services ... >>> Domain Admins group from the local administrators group on the server. ...
(microsoft.public.windows.group_policy)
Re: Local Admin access through Active Directory
... You can add the user to the local administrators group on the computers that ... administrators group. ... without adding them to the Domain Admins group? ...
(microsoft.public.security)
Re: Domain users being added to Administrators
... Is it the domain admins group or the local administrators group? ... If it's domain admins, review the group membership, and change all ... Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org ...
(microsoft.public.security)
Re: Windows Server 2003 SP1 has no access to Active Directory
... already be part of the local administrators group ... > After having installed SP1 on a Windows Server 2003 we tried to add the ... > Domain Admins to the Local Administrator Group. ... Should we uninstall SP1? ...
(microsoft.public.windows.server.setup)
Re: Win 2003 Local Admin Problem
... You can use Restricted Groups feature of the GP to add Domain Admins into ... Windows Server - Directory Services ... > Domain Admins group from the local administrators group on the server. ...
(microsoft.public.windows.group_policy)