Domain Admins in local admin group

[Dan]

The other day I posted here about using restricted groups
to add domain admins to the local admin group of all
machines without killing the other groups/users already
listed there. Since the machine users do have admin
rights I can't use the "traditional" kill everyone else
functionality that the RG's possess. I was pointed to
KB810076 which I found to not be needed on W2K3 according
to Microsoft. How come I am still seeing the default
behavior of the RG's (killing all other groups in the
local admin group)? I have 2K3 server and am testing this
on another 2K3 server and an XP Pro machine. The XP Pro
machine actually does something a bit different and leaves
the list as it was before I applied the KB patch.
Very odd,
Dan

 

[Cary Shultz [A.D. MVP]]

Dan,

I was not aware that anything had changed on W2K03 Server. Plenty of people
have posted this same question in a WIN2003 AD environment with WINXP
clients. I have given the same suggestion to them and they seemed to
benefit from the 810076 patch.

However, I have not played with this in a WIN2003 AD environment ( have done
just a little bit and not much more yet! ) so I can not speak from
experience.

Are you saying that you called MS-PSS and they informed you that you do not
need this patch BECAUSE you are running WIN2003 Server ( Active Directory )?
I will have to play with this ( tomorrow ) to test it for myself.

If this is indeed the case ( that you do not need 810076 ) then I am sorry
that I gave you useless information. However, this differs from what others
have posted.

Also, and this is a general statement, it might be good to include the
operating system when you make posts. The assumption is that you are in a
WIN2000 AD environment as you are posting in the WIN2000 Active Directory
newsgroup. However, I did not stipulate - one way or the other - that this
was a WIN2000 fix ( as I was under the impression that it worked in both
WIN2000 and WIN2003 ).

I will test it tomorrow and post my findings. Again, I am under the
impression that in WIN2003 the Restricted Group GPO maintains the 'flush and
load' behavior, just as it does in WIN2000.

Cary

 

[Dan]

Thanks Cary.... Actually, under 2K03 you can't even
install the patch as the OS tells you that it isn't
needed. As for the XP client, according to MS, you only
need it in pre SP 2 clients. I can definitely see that
the behavior is different in XP than on the server OS but
it still doesn't work correctly either way for me. Please
update me with your findings and I will do the same as I
plan on playing with it a bit more this afternoon.
Thanks,
Dan

 

[Cary Shultz [A.D. MVP]]

Dan,

I should have been more clear. The patch that you receive from MS-PSS is
indeed for WIN2000 ( all versions ) and WINXP Pro. Did not know that SP2
includes this patch. I guess that you learn something new everyday! This
will be part of my playing tomorrow.

Now, for WIN2003 Server on a member server - I would 'assume' that the patch
is either not needed or not intended for WIN2003 as the article explicitly
states WIN2000 and WINXP Pro. I will play with this as well.

Cary

 

[Cary Shultz [A.D. MVP]]

Dan,

I did some preliminary testing in my lab. I have a WIN2003 Domain
Controller ( forest and domain functionality at WIN2003 ) and a WIN2003
Member Server and a WINXP Pro SP1a system. I created an OU structure of:

Windows Systems
WIN2000
WINXP Pro
Servers


I placed the WINXP Pro SP1a system in the WINXP Pro OU and the WIN2003
Member Server in the Servers OU. At first I created a 'HelpDesk' group with
three members: helpdesk001, helpdesk002 and helpdesk003. I logged onto the
WINXP Pro system as Administrator ( domain user account object ) and made
three domain user account objects members of the local Administrators
group - in addition to the local Administrator account and the Domain Admins
group. I did the same on the WIN2003 Member Server.

I then created the Restricted Users GPO ( by using the Adminpak on the WINXP
Pro system ) which consisted of the Domain Admins and the HelpDesk security
groups. The GPO was linked to the 'Windows Systems' OU. I restarted both
systems and the three domain user account objects were not there anymore and
the Domain Admins and HelpDesk groups were ( as well as the local
Administrator user account ). So far so good.

I then unlinked the GPO from the 'Windows Systems' OU and restarted each
system and much to my surprise ( maybe I should not be surprised but this
does not happen in WIN2000 ) the two security groups named in the RG GPO
were not there ( okay, totally expected ) but the three domain user account
objects were back! This is new to me. I then completely deleted the GPO
and then created another one, this time using a different group. I linked
this GPO directly to the two OUs ( instead of to the parent OU - should not
have changed anything but want to see ). Same behavior. I then completely
rebuilt the forest ( it is in a test lab so no problem ) and the same thing
happened. And I have not even started with the patch!

Now, the only thing that I can think is that I am using the evaluation
version of WIN2003 Enterprise Edition. Do not know if this differs from the
released version. I will have to check this out.

I installed WINXP SP2 on the XP system and the same thing happens. Add a
couple of domain user account objects to the local Administrators group, log
on as them, log on as Administrator and create the RG GPO, reboot,
everything is good, remove the link to that specific OU ( in this case the
WINXP Pro OU ) and reboot and those pesky user account objects are back!

Can anyone confirm or refute my findings? Remember, I am using the
evaluation version of WIN2003 Enterprise Edition. This is pretty much my
first long look at WIN2003 so I am not too familiar with it yet!

Thanks all,

Cary