Domain Admin Account deleted by local Admin

Discussion in 'Active Directory' started by Sergiu, Oct 6, 2004.

  1. Sergiu

    Sergiu Guest

    i have windows server 2003 enterprise and i have the following problem. in
    my domain, all the users are local admins, but some of them are deleting the
    domain admin from local administrators group. that issue is creating me a big
    problem because some maintanance tasks that im trying to run on that
    computers, or programs that should be install remote like antivirus client
    etc are failing to install.

    my question is if there is a metod to do not allow those computer without
    domain admin account to authentificate with the domain controller, or any
    other trick so i can stop this problem in an elegant way. the users to be
    users on their computers is not a sollution.
    Sergiu, Oct 6, 2004
    1. Advertisements

  2. Before looking for Technical solutions I would look at your company policy
    and decide if all employees must comply with all issued company wide
    policies etc.
    Then ensure that everyone is told to not change or alter the contents of the
    local administrators group.
    If they then continue to do this they can be subject to disciplinary
    This will usually stop most tampering since only the primary user of that PC
    is making this change it is fairly easy to work out who it is and thus
    provide them with a formal warning etc.

    As regards a technical solution - the use of restricted groups may help
    However this will also mean that as there is no "merging" of groups you will
    need to make all users in one domain level group admins on all PCs. E.G.
    add Domain Users to the local admin group as well as Domain Admins.
    This will mean that when ever Group Policy is reprocessed for that machine
    it will put back the Domain Admins group into the local Admins group.



    Mike Brannigan [Microsoft]

    This posting is provided "AS IS" with no warranties, and confers no

    Please note I cannot respond to e-mailed questions, please use these
    Mike Brannigan [MSFT], Oct 6, 2004
    1. Advertisements

  3. Sergiu

    Sergiu Guest

    thanks for the technical advice but i was looking after a solution that does
    not allow you to logon if there is no domain admin account in the local admin
    regarding the other advice i can assure you that is not talking about a
    company network. lets say that is my test network in the neighbourhood where
    im testing the solutions and after apply it to a prod environment. thats why
    i cant impose to users anything, and i want a solutin that they have nothing
    to comment or do about it. i believe that nobody is stupid enough to let a
    secretary master her computer and install pink thems.
    thanks again, and if you can help me with ill be gladfull.
    Sergiu, Oct 6, 2004
  4. Hi

    A couple of options:

    Create a GPO based computer startup script that adds the "domain
    admins" group to the Administrators group (and maybe add the same
    code to the user logon script as well).

    Restricted Groups enforced with Group Policy is maybe an option:


    How to Configure a Global Group to Be a Member of the Administrators
    Group on all Workstations;en-us;320065

    Note that this will delete all existing members of the local
    Administrators group, so to support that the users are to be local
    admins, you need to add something "common" to the Administrators
    group to handle this.

    We add "NT Authority\Interactive" in the local Administrators group
    to let all domain users automatically be local admins when they log
    on to a computer interactively.

    This is more secure than adding "Authenticated Domain users ",
    "Domain Users" or "NT AUTHORITY\Authenticated Users" because you
    avoid the issue with cross network admin rights (remote access)
    that these groups introduces.
    Torgeir Bakken \(MVP\), Oct 6, 2004
  5. Sergiu

    Sergiu Guest

    looks like its working with the only disadvantage that i have to create an
    ou for every wise guy and enforce a group policy that contains also his
    domain account in order for him to keep his admin rights on that computer.
    the luck is that i have a few of them. by the way did you ever seen a logon
    script that can add those accounts at logon time? could be a better and more
    elegant solution
    th again
    Sergiu, Oct 6, 2004
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.