[gptalk] Re: Domain Admins are not Local Admins

  • From: "Omar Droubi" <omar@xxxxxxxxxxxxxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Tue, 19 Dec 2006 09:52:49 -0800

OK how about this:
get a clean Win XP box (BTW is this only happening on workstations or servers 
as well?)
Get a clean Win XP in a workgroup. Join the domain but do not reboot.
After the domain join is successful- open computer management and look at the 
local groups to see if this situation is occurring at the time of domain join 
or after the fact.
Once you are through that- reboot that WIn XP off the network. Login with local 
admin and check the groups again If there were no group changes after the 
domain join.
Now- is the domain admin account also added to local admins or just the 
debuggers group?
Let me know what results- this is an interesting situation.


From: gptalk-bounce@xxxxxxxxxxxxx on behalf of Ray Lewis
Sent: Tue 12/19/2006 9:46 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Domain Admins are not Local Admins 

Hi Paul - thanks for the reply...


As expected, RSoP.MSC shows no Restricted Groups present. The only startup 
script being applied to clients is a local Administrator password change using 
the conventional NET USER Administrator %1, however this method has always been 
used and this only started occurring recently...


What if an old Restricted Policy was set to apply Domain Admins and the Domain 
Administrator account but has since been revoked... Is there a way it could 
retain this reversal? If so, the million dollar question is, how do I set it 
back to the default, thus being Domain Admins and Domain Administrator account 
as local Admins?


It's a really nasty problem this one but I really appreciate all your advice - 
Thanks Guys :-)





From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On 
Behalf Of Paul Williams
Sent: 19 December 2006 11:42
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Domain Admins are not Local Admins 


If you're sure that there's no restricted groups policy (use RSoP.MSC to 
verify) being applied then perhaps you're being bitten by what many refer to as 
"security through obscurity".  In other words, have you perhaps renamed your 
administrators group?  If this is widespread then probably not, as GPO only 
supports renaming Administrator and Guest as far as I remember.


Another option could be an erroneous startup script.


Restricted groups is the most likely.  A weird script could also be doing this. 
 As could some management tool like Quest's InTrust or HPs OVOW.





        ----- Original Message ----- 

        From: Ray Lewis <mailto:razor@xxxxxxxxxxxxxxxxxxxxxxxx>  

        To: gptalk@xxxxxxxxxxxxx 

        Sent: Monday, December 18, 2006 2:38 AM

        Subject: [gptalk] Domain Admins are not Local Admins 


        Hi Guys


        Not sure if this is exactly GPO related or whether the domain GP is 
screwed, but when a computer joins our domain, the Domain Administrator and 
members of the Domain Admins Group are added to the local machine as a Debugger 
User. By default, these should be in the Local Admins group. 
        Restricted groups within the Domains Group Policy is not active.. 

        Any ideas?


Other related posts: