domain admin rights keep changing on workstations

A

Art

I manage about 100 machines on my network and to allow SMS and Symantec to
function properly, we've added the domain admin accounts rights to the
machines as administrators to the local PCs.

After a short while - about just over 1 day, that account will drop to
either "Offer Remote Assistance Helpers". How do I keep it from changing
from Administrator?

I did not see anything in the GPO's to create this setting? After
searching these newsgroups, I did see a script that I could run in VBScript
to add the account everytime they login? What is a good solution that would
keep the domain account permenatly set to administrator for the local
computer? The computers, for now, are all running Windows XP Pro.

Heres' the script that I found in these news groups incase you are wondering:
net localgroup administrators DOMAIN\domainadmin /add
net localgroup power users ....
net localgroup remote desktop users ...

Thanks in advance!
 
S

Salvador Manaois III

Have you ran RSoP and verified that no group policy setting is causing your
issue? My hunch is that there might be a "Restricted Groups" implementation
in your environment. Some links pertaining to this are listed below:

http://www.windowsecurity.com/articles/Using-Restricted-Groups.html
http://technet.microsoft.com/en-us/library/cc785631.aspx
http://technet.microsoft.com/en-us/library/cc756802.aspx

It could be that when the GPO containing this setting gets reapplied in the
next refresh cycle, the assigned rights (admin) you have manually made gets
overwritten.
 
A

Art

Salvador Manaois III said:
Have you ran RSoP and verified that no group policy setting is causing your
issue? My hunch is that there might be a "Restricted Groups" implementation
in your environment. Some links pertaining to this are listed below:

http://www.windowsecurity.com/articles/Using-Restricted-Groups.html
http://technet.microsoft.com/en-us/library/cc785631.aspx
http://technet.microsoft.com/en-us/library/cc756802.aspx

It could be that when the GPO containing this setting gets reapplied in the
next refresh cycle, the assigned rights (admin) you have manually made gets
overwritten.
Click to expand...

Thank you, I will take a look at those links and reply here. (Sorry it took
so long to reply! I had to search the news groups to find it again. The
automatic link that was sent to me from here when there's replies DOES NOT
work! Someone might want to take a look at that issue - here's what was sent
to me
"http://www.microsoft.com/wn3/aspx/n...dmin&mid=b0ff5eb1-8dc7-40b9-a753-a2dc01fbdf7c")
 
A

Art

Art said:
Thank you, I will take a look at those links and reply here. (Sorry it took
so long to reply! I had to search the news groups to find it again. The
automatic link that was sent to me from here when there's replies DOES NOT
work! Someone might want to take a look at that issue - here's what was sent
to me
"http://www.microsoft.com/wn3/aspx/n...dmin&mid=b0ff5eb1-8dc7-40b9-a753-a2dc01fbdf7c")
Click to expand...

I checked our many GPO's and discovered that we are not using
"Restricted-Groups" in any of our GPO's. We do have folks that MUST have
Local Administrator rights to their machines to run some applications but
other than that requirement, I just am not finding anything that would cause
the domain account rights to be dropped to the lower settings on the
workstations.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Do I need a Local admin account? 2
can not add myself into the local admin group. But am the Domain A 1
adding to user group after first time login 1
Local admin rights 1
Domain Admin Rights on XP PRO 1
WinXP admin rights 1
Mobile User - Temporary Admin Rights 3
wierd batch file behavior 3

Top