Re: gpo for local admin restrictions

Hi Glenn,

Thanks for your reply. Oh well, I guess I'll have to find another
solution.....would it be possible at all to script this then, or is this
something that's a plain no-go?

Tnx,
Taz

"Glenn LeCheminant" wrote:

> No, this is not possible.
> Administrators cannot be prevented from performing this task.
>
> --
> Glenn LeCheminant
> CCNA, MCSE 2000/2003 + Security
>
> "Taz" <Taz@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> news:F7450241-0122-4934-B94B-2F46701C5991@xxxxxxxxxxxxxxxx
> > Hi,
> >
> > Is there a possibility to prevent local administrators from removing the
> > computer account from the domain? I have a large network environment and
> > constantly have the issue of my users (who are all local admins on the
> > pc's)
> > removing themselves from the domain and I want to put a stop to this.
> > What I
> > want to do is apply a GPO to all users in my domain that restricts them
> > from
> > doing this (they all must remain as local admins though). I browsed
> > around
> > in AD but couldn't find any GPO that does this. Maybe someone has an
> > idea?
> >
> > Any help would be appreciated.
> >
> > Thanks,
> > Taz
>
>
>
.

Relevant Pages

  • Re: gpo for local admin restrictions
    ... Administrators cannot be prevented from performing this task. ... > removing themselves from the domain and I want to put a stop to this. ... > doing this (they all must remain as local admins though). ... > in AD but couldn't find any GPO that does this. ...
    (microsoft.public.windows.server.active_directory)
  • gpo for local admin restrictions
    ... Is there a possibility to prevent local administrators from removing the ... I have a large network environment and ... doing this (they all must remain as local admins though). ... in AD but couldn't find any GPO that does this. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Add Domain Admin to local XP Admin group
    ... Are you saying you want Easy and/or Parent Domain DAs to be local admits on the workstations? ... Jorge Silva ... The poster doesn't give much information, but something had to be done to wipe out the DA from local Administrators group, by default it's there, but after you mess with that you can remove them from Local Admins. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Last Logged-on User
    ... We have a GPO to clear the last logged in user and it does not block SMS or ... GPO, that would explain why only local admins show up--it's before GPO is ... "Garth" wrote: ...
    (microsoft.public.sms.admin)
  • Re: Add another domain user group to local administrators of all computers in an OU with removing ot
    ...  You are using it incorrectly in forcing only group members defined ... Create the gpo in the ou where the Computers reside, ... some users who are local admins on machines and for some reason they feel ... compelled to remove the domain admins from their local administrators group. ...
    (microsoft.public.windows.server.active_directory)
Loading