Re: Domain Admin Account deleted by local Admin

Tech-Archive recommends: Speed Up your PC by fixing your registry

From: Torgeir Bakken \(MVP\) (Torgeir.Bakken-spam_at_hydro.com)
Date: 10/06/04 

Date: Wed, 06 Oct 2004 17:54:45 +0200

Sergiu wrote:

> hi.
> i have windows server 2003 enterprise and i have the following problem. in
> my domain, all the users are local admins, but some of them are deleting the
> domain admin from local administrators group. that issue is creating me a big
> problem because some maintanance tasks that im trying to run on that
> computers, or programs that should be install remote like antivirus client
> etc are failing to install.
>
> my question is if there is a metod to do not allow those computer without
> domain admin account to authentificate with the domain controller, or any
> other trick so i can stop this problem in an elegant way. the users to be
> users on their computers is not a sollution.
Hi

A couple of options:

1)
Create a GPO based computer startup script that adds the "domain
admins" group to the Administrators group (and maybe add the same
code to the user logon script as well).

2)
Restricted Groups enforced with Group Policy is maybe an option:

http://groups.google.com/groups?selm=uM5aZa1YDHA.440%40tk2msftngp13.phx.gbl

and

How to Configure a Global Group to Be a Member of the Administrators
Group on all Workstations
http://support.microsoft.com/default.aspx?scid=kb;en-us;320065

Note that this will delete all existing members of the local
Administrators group, so to support that the users are to be local
admins, you need to add something "common" to the Administrators
group to handle this.

We add "NT Authority\Interactive" in the local Administrators group
to let all domain users automatically be local admins when they log
on to a computer interactively.

This is more secure than adding "Authenticated Domain users ",
"Domain Users" or "NT AUTHORITY\Authenticated Users" because you
avoid the issue with cross network admin rights (remote access)
that these groups introduces. 

-- 
torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
Administration scripting examples and an ONLINE version of
the 1328 page Scripting Guide:
http://www.microsoft.com/technet/scriptcenter/default.mspx

Relevant Pages

  • Re: New AD installation issue
    ... Then a second server was added to the domain. ... (I am a member of the Administrators ... Membership of the Administrators group in the domain gives you admin access ... Membership of the Domain Admins group grants you admin privileges to the ...
    (microsoft.public.windows.server.active_directory)
  • Re: Rid AD of Circular Group Membership
    ... and have use on members if it is used there. ... Administrators group is still intact), nor do they have empowerments over ... Admins is being used for by the 30+ can be delegated I(ex. ... The quess is each has an account and uses it, ...
    (microsoft.public.windows.group_policy)
  • Re: Get prompted for username and password on PC in another forest/domain
    ... Did you make sure that the Builtin\Administrators group is member of the local admins on the computer? ... By default the domain administrators group is added to the local administrators, not the Builtin\administrators group, where the domain admins are member of. ...
    (microsoft.public.windows.server.active_directory)
  • Re: users removing Domain Admin from local admin group
    ... You can't set the machine up so local admins can't modify the local ... administrators group. ... If the corporate policy is that domain admins are to be listed in the ...
    (microsoft.public.win2000.security)
  • ADMT V3 has no right to migrate computers account from NT4 to 2003
    ... I'm trying to migrate a test computer account from NT4 domain to AD2003 and ... is a member of local administrators group on the machine 'pc_test_migraci'. ... Obiously the computer to be migrated has only SourceDomain\Domain Admins ... normal users and have no rights to execute a net localgrou administrators ...
    (microsoft.public.windows.server.migration)