[gptalk] Re: Domain Admins are not Local Admins

  • From: "Paul Williams" <paul.williams@xxxxxxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Tue, 19 Dec 2006 11:42:09 -0000

If you're sure that there's no restricted groups policy (use RSoP.MSC to 
verify) being applied then perhaps you're being bitten by what many refer to as 
"security through obscurity".  In other words, have you perhaps renamed your 
administrators group?  If this is widespread then probably not, as GPO only 
supports renaming Administrator and Guest as far as I remember.

Another option could be an erroneous startup script.

Restricted groups is the most likely.  A weird script could also be doing this. 
 As could some management tool like Quest's InTrust or HPs OVOW.


  ----- Original Message ----- 
  From: Ray Lewis 
  To: gptalk@xxxxxxxxxxxxx 
  Sent: Monday, December 18, 2006 2:38 AM
  Subject: [gptalk] Domain Admins are not Local Admins 

  Hi Guys


  Not sure if this is exactly GPO related or whether the domain GP is screwed, 
but when a computer joins our domain, the Domain Administrator and members of 
the Domain Admins Group are added to the local machine as a Debugger User. By 
default, these should be in the Local Admins group. 

  Restricted groups within the Domains Group Policy is not active.. 

  Any ideas?




Other related posts: