Smart user removing domain admin group from local admin group

J

Jody Riding

I have a couple of "smart" users that are removing the
Domain administrator group from the local admin group on
their pc. This is creating serious issues with trying to
administrate the environment. I remember from an old job I
had where there was a script that was put into Active
Directory that would force / readd the domain admin group
to the local admin group. The script would force this do to
the fact of connection and login to AD. This force was not
account linked but forced do to being in the login script
section of AD. If anyone has any ideas on this it would be
greatly appriciated.

Please feel free to email me as well.

J Riding
 
C

Chriss3

Hello Jody.

You may not should give them local administrator rights if they not are
trusted, the article below shows how you can link the domain admins group to
the local admin group, the membership will refresh every time the GPO is
re-applied I think, it's every 90min by default.

Restricted groups with in a Group Policy allow to map membership
http://www.chrisse.se/MAQB.asp?ID=29
 
P

ptwilliams

I have to chip in here. Chris' solution is the solution to take, however,
GPO processing does occur every 90 mins by default, but once it has applied
will not apply again unless the GPO is changed. Therefore, if the users
change the group membership after GPO application, it will not get changed
again until foreground processing occurs - a logon (or reboot) or secedit
/refreshpolicy machine_policy /enforce (unless you've set the security
client side extension to process every time regardless of change).

--

Paul Williams
_________________________________________
http://www.msresource.net


Join us in our new forums!
http://forums.msresource.net
_________________________________________
Hello Jody.

You may not should give them local administrator rights if they not are
trusted, the article below shows how you can link the domain admins group to
the local admin group, the membership will refresh every time the GPO is
re-applied I think, it's every 90min by default.

Restricted groups with in a Group Policy allow to map membership
http://www.chrisse.se/MAQB.asp?ID=29
 
C

Chriss3

Good point, Also note the Restricted Group Policy will clear every existing
member to the local group and replace it with the members listed in the
policy.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

local admin group membership - remove 2
Adding a Domain Group to Local Admin Group 2
Script that adds domain grp to local Admn group when joining domai 5
Prevent some Domain Admin Account from creating USERS, Groups, OUs 2
Removing domain local groups from Wind XP local administrators gro 3
Prevent Domain Admin group from adding Group Policy 1
Domain Admins in local admin group 4
Making a Domain Group Local Admins Via Group Policy 2

Top