User removed Domain Admins group

[mouser]

I am a Domain Admin for our company, and
in our network, we have several external offices
throughout the world, and each user has a machine on
active directory that they use. We grant these users local
machine admin rights to their PC.

We are no longer able to access one PC because the user
has removed the Domain Admins group from the local
Adminstrators group on the machine. He also changed the
administrator password. We can still bring up computer
management and see the groups and users, but I can't add
anything.

Is there any way to get access to this machine again
without the use of any hacking tools?

 

[Steven L Umbach]

Create an OU and then a GPO for that OU. Configure restricted groups for the
administrators group and add domain admins to it. Run secedit /refreshpolicy
machine_policy /enforce on that domain conroller. Move that computer into
that OU [before secedit refresh] . After next Group Policy refresh the
domain admins group should be the only group in the local administrators
group on that computer. That could take up to a couple of hours or maybe
more if site replication is involved. If someone could reboot it for you
that may speed things up. This all depends on that computer still being a
member of the domain with a working computer account. You may then want to
move that computer back to it's normal container and then reconfigure the
local administrators group to be as needed. --- Steve

http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q320065
http://support.microsoft.com/default.aspx?scid=kb;en-us;228496
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/gp/611.asp

 

[Seeker]

We are no longer able to access one PC because the user

has removed the Domain Admins group from the local
Adminstrators group on the machine. He also changed the
administrator password. We can still bring up computer
management and see the groups and users, but I can't add
anything.

Is there any way to get access to this machine again
without the use of any hacking tools?

Yes, tell the user not to do that and to add Domain Admins back. This is a
personnel issue. Escalate if necessary.

 

[Guest]

Thanks for that suggestion, it worked.

-----Original Message-----
Create an OU and then a GPO for that OU. Configure restricted groups for the
administrators group and add domain admins to it. Run secedit /refreshpolicy
machine_policy /enforce on that domain conroller. Move that computer into
that OU [before secedit refresh] . After next Group Policy refresh the
domain admins group should be the only group in the local administrators
group on that computer. That could take up to a couple of hours or maybe
more if site replication is involved. If someone could reboot it for you
that may speed things up. This all depends on that computer still being a
member of the domain with a working computer account. You may then want to
move that computer back to it's normal container and then reconfigure the
local administrators group to be as needed. --- Steve

http://support.microsoft.com/default.aspx?scid=KB;EN- US;Q320065

http://support.microsoft.com/default.aspx?scid=kb;en- us;228496
http://msdn.microsoft.com/library/default.asp?

url=/library/en-us/gp/611.asp

I am a Domain Admin for our company, and
in our network, we have several external offices
throughout the world, and each user has a machine on
active directory that they use. We grant these users local
machine admin rights to their PC.

We are no longer able to access one PC because the user
has removed the Domain Admins group from the local
Adminstrators group on the machine. He also changed the
administrator password. We can still bring up computer
management and see the groups and users, but I can't add
anything.

Is there any way to get access to this machine again
without the use of any hacking tools?

.