[gptalk] Re: Domain Admins are not Local Admins

  • From: "Ray Lewis" <razor@xxxxxxxxxxxxxxxxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Tue, 19 Dec 2006 17:46:15 -0000

Hi Paul - thanks for the reply.


As expected, RSoP.MSC shows no Restricted Groups present. The only startup
script being applied to clients is a local Administrator password change
using the conventional NET USER Administrator %1, however this method has
always been used and this only started occurring recently.


What if an old Restricted Policy was set to apply Domain Admins and the
Domain Administrator account but has since been revoked. Is there a way it
could retain this reversal? If so, the million dollar question is, how do I
set it back to the default, thus being Domain Admins and Domain
Administrator account as local Admins?


It's a really nasty problem this one but I really appreciate all your advice
- Thanks Guys :-)





From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Paul Williams
Sent: 19 December 2006 11:42
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Domain Admins are not Local Admins 


If you're sure that there's no restricted groups policy (use RSoP.MSC to
verify) being applied then perhaps you're being bitten by what many refer to
as "security through obscurity".  In other words, have you perhaps renamed
your administrators group?  If this is widespread then probably not, as GPO
only supports renaming Administrator and Guest as far as I remember.


Another option could be an erroneous startup script.


Restricted groups is the most likely.  A weird script could also be doing
this.  As could some management tool like Quest's InTrust or HPs OVOW.





----- Original Message ----- 

From: Ray Lewis <mailto:razor@xxxxxxxxxxxxxxxxxxxxxxxx>  

To: gptalk@xxxxxxxxxxxxx 

Sent: Monday, December 18, 2006 2:38 AM

Subject: [gptalk] Domain Admins are not Local Admins 


Hi Guys


Not sure if this is exactly GPO related or whether the domain GP is screwed,
but when a computer joins our domain, the Domain Administrator and members
of the Domain Admins Group are added to the local machine as a Debugger
User. By default, these should be in the Local Admins group. 

Restricted groups within the Domains Group Policy is not active.. 

Any ideas?




Other related posts: