Re: Local Administrators & Active Directory

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

Assuming that this is an existing AD environment, you should check to see if
you have Administrators set up as a Restricted Group under any Group Policy
Objects. Restricted Groups settings are listed in the GPO Editor under
Computer Configuration-->Windows Settings-->Security Settings-->Restricted
Groups. If Administrators is configured as a Restricted Group so that only
certain users are members of that group, any changes that you make to an
individual workstation will be erased roughly every 90 minutes when Group
Policy refreshes.

HTH


--
-----------------------
Laura E. Hunter
Microsoft MVP - Windows Server Networking
Author: _Active Directory Consultant's Field Guide_
(http://tinyurl.com/7f8ll)
Author: _Active Directory Cookbook, Second Edition_
(http://tinyurl.com/z7svl)

<fitchkd25@xxxxxxx> wrote in message
news:1172259391.967978.56730@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
I'm working on some Win XP laptops and am new to Active Directory so
hopefully whoever may respond will be very concise in explaining the
solution.

I use Computer Management to make certain Active Directory groups
members of the Administrators group. This works great, for a while.

Can't figure out what's going on... but our users seem to lose
administrative rights over their laptops at random. They will bring
the PC back in claiming they lost administrative rights while they
were out in the field. I check the members list in Administrators...
and all the AD groups that were members are gone and have been
replaced by a white and red question mark-like icon with a string of
random characters.

The users in question have had their profile pulled down from the
server and changed from roaming to local as to hold their settings...
so the profile should never change.

Any idea why the Administrators group members constantly are being
wiped out? This has been a recurring issue that I am unable to figure
out. Any input from an expert would be great.

Kirby



.

Relevant Pages

  • Re: disclosure the administrative password
    ... If you create an account in the domain which your workstations are a ... part of and only make it a member of the 'administrators' group (not ... Properties, group Policy, New) with a name which makes sense (eg. ... groups of users to be members of different groups; ...
    (Focus-Microsoft)
  • Re: I CALL BULL SHIT ON MIKE PAYNES "UPA Members Call to Action" artical.....
    ... The stategy should be to get general info from a larger ... members giving feedback no one knows ANYTHING about what the majority ... upa administrators just fine. ... dosent it seem odd to you that upa administrators have never seen fit ...
    (rec.sport.disc)
  • Re: Local security group
    ... of the local restircted user account is meaning, ... use members list to state Turkey and Domain Admins ... Administrators group containing only Turkey and Domain Admins ... I have tested using a Restricted Group definition in a GPO linked to OU ...
    (microsoft.public.windows.group_policy)
  • Re: [Full-Disclosure] UTTER HORSESHIT: [was January 15 is Personal Firewall Day, help the cause]
    ... > ever heard for not using security products. ... Many of the people on here care nothing about security, ... >> If Annie's weren't members of Administrators, ... >> Administrators would not have access to apps like IE and OE, ...
    (Full-Disclosure)
  • Re: Help needed setting up roaming administrator
    ... >Administrators group (just type in Administrators, don't browse for it, ... >add your Roaming Local Admins group to the Members of this group section ... GPO associated with the OU that contains the computers I want to use ... restricted group and to define the groups the restricted group will ...
    (microsoft.public.win2000.security)