Re: Win 2003 Local Admin Problem
From: Dmitry Korolyov [MVP] (d__k_at_removethispart.mail.ru)
Date: 01/18/05
- Next message: AP: "Re: Screensaver won't start from GPO"
- Previous message: Fluffy_Ninja: "Re: Win 2003 Local Admin Problem"
- In reply to: Fluffy_Ninja: "Re: Win 2003 Local Admin Problem"
- Messages sorted by: [ date ] [ thread ]
Date: Tue, 18 Jan 2005 18:51:49 +0300
In your initial posting, you indicated that you have removed Domain Admins
group from built-in Administrators group by mistake. Using RG feature in a
way I've described is one of the possible solutions to fix it. Just apply
GPO to a single OU with that computer account only.
-- Dmitry Korolyov [d__k@removethispart.mail.ru] MVP: Windows Server - Directory Services "Fluffy_Ninja" <FluffyNinja@discussions.microsoft.com> wrote in message news:9751D5B3-8D5B-496B-8E0A-0A6A95E34661@microsoft.com... > You're right, I could do that, but it would remove all other users and > groups > in the local Administrators group on every machine. I do not want to do > this > because some machines have individual users added as local administrators. > > As far as I can tell, my technique should work. See Microsoft artice > 810076. > > "Dmitry Korolyov [MVP]" wrote: > >> You should have defined a built-in Administrators group as a restricted >> group, and define its membership to include Domain Admins group, for >> example. >> >> -- >> Dmitry Korolyov [d__k@removethispart.mail.ru] >> MVP: Windows Server - Directory Services >> >> >> "Fluffy_Ninja" <FluffyNinja@discussions.microsoft.com> wrote in message >> news:AE08FB64-6D7F-43A5-899E-5FD75D75F4CC@microsoft.com... >> > Hi Dmitry >> > >> > Following this advice, it is only partially successful. I created a >> > test >> > OU >> > and a test GPO applied to that OU. On my PC using Group Policy >> > Management >> > Console, I created a restricted group called Wrkstn_Admins and in the >> > Member >> > Of list, I added the local administrators group on my PC. This should >> > add >> > the >> > domain group Wrkstn_Admins to the local adminsitrators group on all >> > computers >> > in my OU. I added my computer and one other to my OU and I ran gpupdate >> > /force on both machines. On my PC, the update was successful, but on >> > the >> > other PC there was no effect. >> > >> > Please can you advise why this worked on my PC and not on the other >> > one? >> > >> > Many Thanks, Rob >> > >> > "Dmitry Korolyov [MVP]" wrote: >> > >> >> You can look at the following KB articles for detail about Restriced >> >> Groups >> >> feature: >> >> >> >> http://support.microsoft.com/default.aspx?scid=kb;en-us;279301 >> >> http://support.microsoft.com/default.aspx?scid=kb;en-us;228496 >> >> http://support.microsoft.com/default.aspx?scid=kb;en-us;320065 >> >> >> >> I also suggest that you perform changes in a test environment to make >> >> yourself suitable with these features before rolling them out to >> >> production >> >> environment. >> >> >> >> -- >> >> Dmitry Korolyov [d__k@removethispart.mail.ru] >> >> MVP: Windows Server - Directory Services >> >> >> >> >> >> "Fluffy_Ninja" <FluffyNinja@discussions.microsoft.com> wrote in >> >> message >> >> news:F9D9A1A6-3306-4D4C-8293-1A438C47D154@microsoft.com... >> >> > Please could you describe the exact steps required to do this. I'm >> >> > aware >> >> > that >> >> > if I make a mistake I could strip out all local admin users. >> >> > >> >> > "Dmitry Korolyov [MVP]" wrote: >> >> > >> >> >> You can use Restricted Groups feature of the GP to add Domain >> >> >> Admins >> >> >> into >> >> >> builtin Administrators group. Configure a GPO and apply it so it >> >> >> affects >> >> >> the >> >> >> screwed computer account, then just reboot the computer. >> >> >> >> >> >> -- >> >> >> Dmitry Korolyov [d__k@removethispart.mail.ru] >> >> >> MVP: Windows Server - Directory Services >> >> >> >> >> >> >> >> >> "Fluffy_Ninja" <FluffyNinja@discussions.microsoft.com> wrote in >> >> >> message >> >> >> news:F984C487-1760-4185-9919-A3E870BB2941@microsoft.com... >> >> >> > Hello. >> >> >> > On a 2003 member server in our domain, I made the mistake of >> >> >> > removing >> >> >> > the >> >> >> > Domain Admins group from the local administrators group on the >> >> >> > server. >> >> >> > I >> >> >> > also >> >> >> > managed to get myself in a situation whereby all other local >> >> >> > users >> >> >> > that >> >> >> > are >> >> >> > in the local administrator group have their accounts disabled. >> >> >> > So >> >> >> > I'm >> >> >> > kind >> >> >> > of in a catch 22 situation. I need to add Domain Admins group >> >> >> > back >> >> >> > in >> >> >> > to >> >> >> > the >> >> >> > local administrators group on the machine, but to do so I need to >> >> >> > use a >> >> >> > local >> >> >> > administrator account and all of these are disabled. Is there any >> >> >> > possible >> >> >> > way of fixing this? I have tried using the ntrights.exe utility, >> >> >> > but >> >> >> > this >> >> >> > fails with an error. >> >> >> > Thanks >> >> >> > Rob >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >>
- Next message: AP: "Re: Screensaver won't start from GPO"
- Previous message: Fluffy_Ninja: "Re: Win 2003 Local Admin Problem"
- In reply to: Fluffy_Ninja: "Re: Win 2003 Local Admin Problem"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
