Re: Local Admin user removed from Administrator group

From: "Adrian Marsh (NNTP)" <adrian.marsh@xxxxxxxxxxxxxxxxxxxxxxx>
Date: Wed, 17 Jan 2007 18:43:15 +0000

Restricted Groups - yes...

What I don't understand, is why - locally created users- , that are
locally added to the local administrators group, are being removed from
the admin group by the policy.

That aside - how can I exclude a machine from the GPO? (Apart from move
it to a different branch of the AD tree).

Lanwench [MVP - Exchange] wrote:

In news:45AE3C51.2080907@xxxxxxxxxxxxxxxxxxxxxxx,
Adrian Marsh (NNTP) <adrian.marsh@xxxxxxxxxxxxxxxxxxxxxxx> typed:

Hi,

I've a fairly out-of-box SBS 2003 R1 group policy setup.

I've added a new SQL server, which runs some Jboss applications. As
part
of the Jboss setup I need to run a service as a local Admin.

I created the local user (I don't need/want a domain account for
this),

Why not?

and assigned them to the local server Administrators group.

I have a GPO that says all domain users are part of their local Admin
group.

That's unwise; your users should not be anything other than users. However,
that being said, are you using restricted groups? If so, this is normal -
the restricted group settings supersede the locally-configured group
membership. Perhaps you need to link the GPO in question to another OU or
otherwise exclude it from being applied to the member server in question.

This seems to have the effect of removing my Local users from the
Local Administrators group. (We see an event 637 when I turn on more
logging).

How can I enable either the Domain, or Local GPO to let the Jboss user
keep its Administrator rights?

Cheers,

Adrian

Follow-Ups:
- Re: Local Admin user removed from Administrator group
  - From: Lanwench [MVP - Exchange]

References:
- Local Admin user removed from Administrator group
  - From: Adrian Marsh (NNTP)
- Re: Local Admin user removed from Administrator group
  - From: Lanwench [MVP - Exchange]

Prev by Date: Re: Can't add clients to the domain
Next by Date: Re: Received fax errors after running SFC.exe
Previous by thread: Re: Local Admin user removed from Administrator group
Next by thread: Re: Local Admin user removed from Administrator group
Index(es):
- Date
- Thread

Relevant Pages

Re: Restricted Group Expectations
... I use the GPO to add users by using the restricted groups tab ... and adding the users that I want in the local administrators group. ... will they still be able to perform local admin functions? ... Technically GPO will not apply if you cannot contact DC but the problem is ...
(microsoft.public.windows.group_policy)
Re: Want to add users to their local Admin group
... > Above assumes adding user to Administrators group on more than one PC. ... > operation on more than on PC, I think we should use GPO here. ... Restricted groups would be great if we could ... PC-1 with user Joe, PC-2 with user Mary, and PC-3 with user Peter. ...
(microsoft.public.windows.server.active_directory)
Re: Restricted group functionality
... GPO that affects the computer side of things you would have to make sure ... that the computer account objectin question are located in an OU (well, ... we are targeting the administrator group. ... making use of the Restricted Groups can be a bit more difficult than ...
(microsoft.public.windows.group_policy)
Re: Restricting Local Admin Group w/GPO
... I can confirm that it does work wth the environment you ... Are any policies at all being applied to the ... portion of the GPO is enabled? ... >> regular users from the Local Administrators group. ...
(microsoft.public.windows.group_policy)
Re: remove local admin right in 200 client computer
... You could use Group Policy Restricted Groups using "members of this group" ... to enforce membership of the local administrators group. ...
(microsoft.public.windowsxp.security_admin)