Re: Domain Admin Account deleted by local Admin

From: Mike Brannigan [MSFT] (mikebran_at_online.microsoft.com)
Date: 10/06/04 

Date: Wed, 6 Oct 2004 08:26:22 +0100

"Sergiu" <Sergiu@discussions.microsoft.com> wrote in message
news:1ABB8AD1-5D5C-43C9-8DD1-9D31415BDD8F@microsoft.com...
> hi.
> i have windows server 2003 enterprise and i have the following problem. in
> my domain, all the users are local admins, but some of them are deleting
> the
> domain admin from local administrators group. that issue is creating me a
> big
> problem because some maintanance tasks that im trying to run on that
> computers, or programs that should be install remote like antivirus client
> etc are failing to install.
>
> my question is if there is a metod to do not allow those computer without
> domain admin account to authentificate with the domain controller, or any
> other trick so i can stop this problem in an elegant way. the users to be
> users on their computers is not a sollution.
>

Before looking for Technical solutions I would look at your company policy
and decide if all employees must comply with all issued company wide
policies etc.
Then ensure that everyone is told to not change or alter the contents of the
local administrators group.
If they then continue to do this they can be subject to disciplinary
proceedings.
This will usually stop most tampering since only the primary user of that PC
is making this change it is fairly easy to work out who it is and thus
provide them with a formal warning etc.

As regards a technical solution - the use of restricted groups may help
see
http://support.microsoft.com/?id=810076
However this will also mean that as there is no "merging" of groups you will
need to make all users in one domain level group admins on all PCs. E.G.
add Domain Users to the local admin group as well as Domain Admins.
This will mean that when ever Group Policy is reprocessed for that machine
it will put back the Domain Admins group into the local Admins group. 

-- 
Regards,
Mike
--
Mike Brannigan [Microsoft]
This posting is provided "AS IS" with no warranties, and confers no
rights
Please note I cannot respond to e-mailed questions, please use these
newsgroups
"Sergiu" <Sergiu@discussions.microsoft.com> wrote in message 
news:1ABB8AD1-5D5C-43C9-8DD1-9D31415BDD8F@microsoft.com...
> hi.
> i have windows server 2003 enterprise and i have the following problem. in
> my domain, all the users are local admins, but some of them are deleting 
> the
> domain admin from local administrators group. that issue is creating me a 
> big
> problem because some maintanance tasks that im trying to run on that
> computers, or programs that should be install remote like antivirus client
> etc are failing to install.
>
> my question is if there is a metod to do not allow those computer without
> domain admin account to authentificate with the domain controller, or any
> other trick so i can stop this problem in an elegant way. the users to be
> users on their computers is not a sollution.
>