Adding Groups to Local Administrator Remotely

[Andy Damron]

I am a domain admin in our Windows 2000 server
environment. I have some users (that have local
administrative rights) that have removed the domain
admins from the local administrators group. This has
prevented me from performing several functions when
remotely administering these particular computers.

I have tried policies in AD, but they have all been
unsuccessful. I can't seem to find a way to bypass the
local security on these computers even though these
computers are part of the domain.

I would like to know if there is a way to remotely push
adding the domain admins group back into the local
administrators group on these computers.

Thanks

 

[Roger Abell]

Restricted groups in GPO applied to machines can
take complete control over the local Administrators
group membership. If UserA is to also be admin on
MachineA, UserB on MachineB, etc. then use of the
Restricted Groups capability is problematic. In this
case you could use a Startup script to do such as
net localgroup Administrators "domname\Domain Admins" /Add
but the local admin could then remove this as soon as
they log in.
If you now have no admin account on some machine
then there is no direct way to exercise admin powers
there to do such things as adjusting group memberships,
other than what was already mentioned, or similar (push an
install that includes adjustment of membership, for example).