Setting up local machine admins from GPO

[Eric Sabine]

It appears to me that a user with admin privs on his PC has removed the
"domain admins" from the administrators group of his PC. I say this b/c
when I open the MMC snap-in "Computer Management" and connect to his PC, I
get "access is denied" on things like the event viewer, device manager,
services, etc. I also can't remote registry to his PC. Before I go down to
his machine to confron him, I wonder if I can set a GPO policy to at least
force the "domain admins" into the local PC administrators group.

Incidentally, this user needs to be elevated to admin on his box because of
the development work, i.e., C++, Oracle, SQL Server, etc., he does.

thanks
Eric

 

[Bobby Davies]

Use the "restricted groups" option in your group policy. I have been warned
before to make sure that everyone that you want to have access the pc as an
admin must be in the names you specify, we do this and it works great.

 

[Eric Sabine]

Thanks,

I just started looking there and I found this link
http://www.jsiinc.com/subk/tip5300/rh5319.htm but what I am having a
problem with is when I click Add Group, then browse, I don't see any "local
PC groups", i..e., Power Users, Administrators, etc. Any thoughts there?

Your statement --> I have been warned before to make sure that everyone that
you want to have access the pc as an admin must be in the names you specify,
we do this and it works great. <--

Are you saying that the GPO setting overrides any local settings hence make
all the admin group decisions at the GPO level? My purpose was to just
ensure the "domain admins" group was a local admin on every machine. It
sounds then that when I do that, all people that are currently admins, i.e.,
developers and laptop users, will be bumped out of the admins group. But if
I make this setting GPO-wide, wouldn't users who are admins of their
machines become admins of other machines that they log into?

Eric

 

[Guest]

Eric, setting the group membership through gpo will set it for every machine the policy is applied upon.
So if you add your user he/she will be local admin on all systems.

By default the browse will be add domain level. You can change the focus or type it by hand.

And yes, the policy overrides local settings, so no extra members can be added locally.

But maybe your having some other problem.
Perhaps the local time on this system is out of sync, resulting in the same problems you describe.
You might be able to check remotely by using W32tm /monitor /computers:<pcname>

In our case it turned out the XP clients added to the Windows 2000 domain were by default no using the domain time.
After we changed a setting in the registry on the clients they started synchronising the time
(HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\Type from "NoSync" to "NT5DS")

Regards,
Rob