Re: Win 2003 Local Admin Problem

From: Fluffy_Ninja (FluffyNinja_at_discussions.microsoft.com)
Date: 01/18/05 

Date: Tue, 18 Jan 2005 06:27:04 -0800

You're right, I could do that, but it would remove all other users and groups
in the local Administrators group on every machine. I do not want to do this
because some machines have individual users added as local administrators.

As far as I can tell, my technique should work. See Microsoft artice 810076.

"Dmitry Korolyov [MVP]" wrote:

> You should have defined a built-in Administrators group as a restricted
> group, and define its membership to include Domain Admins group, for
> example.
>
> --
> Dmitry Korolyov [d__k@removethispart.mail.ru]
> MVP: Windows Server - Directory Services
>
>
> "Fluffy_Ninja" <FluffyNinja@discussions.microsoft.com> wrote in message
> news:AE08FB64-6D7F-43A5-899E-5FD75D75F4CC@microsoft.com...
> > Hi Dmitry
> >
> > Following this advice, it is only partially successful. I created a test
> > OU
> > and a test GPO applied to that OU. On my PC using Group Policy Management
> > Console, I created a restricted group called Wrkstn_Admins and in the
> > Member
> > Of list, I added the local administrators group on my PC. This should add
> > the
> > domain group Wrkstn_Admins to the local adminsitrators group on all
> > computers
> > in my OU. I added my computer and one other to my OU and I ran gpupdate
> > /force on both machines. On my PC, the update was successful, but on the
> > other PC there was no effect.
> >
> > Please can you advise why this worked on my PC and not on the other one?
> >
> > Many Thanks, Rob
> >
> > "Dmitry Korolyov [MVP]" wrote:
> >
> >> You can look at the following KB articles for detail about Restriced
> >> Groups
> >> feature:
> >>
> >> http://support.microsoft.com/default.aspx?scid=kb;en-us;279301
> >> http://support.microsoft.com/default.aspx?scid=kb;en-us;228496
> >> http://support.microsoft.com/default.aspx?scid=kb;en-us;320065
> >>
> >> I also suggest that you perform changes in a test environment to make
> >> yourself suitable with these features before rolling them out to
> >> production
> >> environment.
> >>
> >> --
> >> Dmitry Korolyov [d__k@removethispart.mail.ru]
> >> MVP: Windows Server - Directory Services
> >>
> >>
> >> "Fluffy_Ninja" <FluffyNinja@discussions.microsoft.com> wrote in message
> >> news:F9D9A1A6-3306-4D4C-8293-1A438C47D154@microsoft.com...
> >> > Please could you describe the exact steps required to do this. I'm
> >> > aware
> >> > that
> >> > if I make a mistake I could strip out all local admin users.
> >> >
> >> > "Dmitry Korolyov [MVP]" wrote:
> >> >
> >> >> You can use Restricted Groups feature of the GP to add Domain Admins
> >> >> into
> >> >> builtin Administrators group. Configure a GPO and apply it so it
> >> >> affects
> >> >> the
> >> >> screwed computer account, then just reboot the computer.
> >> >>
> >> >> --
> >> >> Dmitry Korolyov [d__k@removethispart.mail.ru]
> >> >> MVP: Windows Server - Directory Services
> >> >>
> >> >>
> >> >> "Fluffy_Ninja" <FluffyNinja@discussions.microsoft.com> wrote in
> >> >> message
> >> >> news:F984C487-1760-4185-9919-A3E870BB2941@microsoft.com...
> >> >> > Hello.
> >> >> > On a 2003 member server in our domain, I made the mistake of
> >> >> > removing
> >> >> > the
> >> >> > Domain Admins group from the local administrators group on the
> >> >> > server.
> >> >> > I
> >> >> > also
> >> >> > managed to get myself in a situation whereby all other local users
> >> >> > that
> >> >> > are
> >> >> > in the local administrator group have their accounts disabled. So
> >> >> > I'm
> >> >> > kind
> >> >> > of in a catch 22 situation. I need to add Domain Admins group back
> >> >> > in
> >> >> > to
> >> >> > the
> >> >> > local administrators group on the machine, but to do so I need to
> >> >> > use a
> >> >> > local
> >> >> > administrator account and all of these are disabled. Is there any
> >> >> > possible
> >> >> > way of fixing this? I have tried using the ntrights.exe utility, but
> >> >> > this
> >> >> > fails with an error.
> >> >> > Thanks
> >> >> > Rob
> >> >>
> >> >>
> >> >>
> >>
> >>
> >>
>
>
>

Relevant Pages

  • Re: Two XP Pro problems
    ... membership of the local groups. ... > and both computers are members of the domain. ... > One of the computers clears the Local Administrators group of all accounts ... > Kjartan Þór Kjartansson ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Removing Sharing & Security tabs from the Group Policy
    ... local administrators though if they are skilled they can find work around ... computer from the network on your domain computers to allow only ... users the Sharing tab will be disabled. ... But if that user is in Local Admin group Sharing tab will be enabled ...
    (microsoft.public.win2000.security)
  • Re: User type
    ... > you created to Local Administrators group on the computers. ... > The way I usually do it is by using a script like this ... >> them to the Domanin Admin group? ...
    (microsoft.public.windows.server.setup)
  • Re: Group Manipulation
    ... option for your new global group that contains the users that you want to be ... The computers that you want this to be enforced on ... Restricted Groups is configured. ... >> users being local administrators on all those computers keeping in mind ...
    (microsoft.public.windows.group_policy)
  • Re: Add another domain user group to local administrators of all computers in an OU with removing ot
    ...  You are using it incorrectly in forcing only group members defined ... Create the gpo in the ou where the Computers reside, ... some users who are local admins on machines and for some reason they feel ... compelled to remove the domain admins from their local administrators group. ...
    (microsoft.public.windows.server.active_directory)