Removal of account in the local administrator group

orven · #1 5th March 2004, 17:37

I have 1000 machines and just finished the migration process.

I want to remove some users using a script or something who put themselves as member of lcoal admins group in their onw machine instead I want to insert a new group from my domain as a master local admin account.

How can I do that?
Other Q is.
Let say I created a Group policy to prevent them from installing a program will they be able to install since they are member of local admins group?

Please advise more pow

danielp · #2 6th March 2004, 16:56

You can do it in many ways: scripting (try the scripting forum), by using the NET LOCALGROUP command, and by using the RESTRICTED GROUPS section in your domain's GPO.

guyt · #3 6th March 2004, 23:28

BTW, SP4 for W2K presented some interesting and usefull changes to the behavior of Restricted Groups.
Now you can use the "Memeber of" functionality to be able to add Domain Local or Domain Global groups to Local groups...
Have a look here:

Updates to Restricted Groups ("Member of") Behavior of User-Defined Local Groups:
http://support.microsoft.com/default...;en-us;Q810076

danielp · #4 7th March 2004, 02:53

Quote:

Originally Posted by Daniel Petri

and by using the RESTRICTED GROUPS section in your domain's GPO.

LOL, someone is not reading my posts?

guyt · #5 7th March 2004, 03:42

Someone IS reading your posts.
The problem with restricted groups till SP4 was that whatever you defined would OVERRIDE local settings. Since SP4 you can ADD whatever you want.
This is based on the difference between forward link and back link.

Groups contain forward links to it's members.
Remember the 5K object limit of a group in W2K ? this is because a group containing around 5K objects grew to the size that the object represented in AD could not be replicated as single instance as it exceeded the replication packet size.
User on the other hand has a backlink attribute ("Member of") which points to the groups it is member of.

Read the KB

danielp · #6 7th March 2004, 16:23

Well yes, but what made you think I don't know about the new features in SP4? The original question said nothing about the SP level.

guyt · #7 7th March 2004, 17:11

Hold your guns !
It was FYI for the rest and I felt it was important enough to mention.
Noone said you don't know the changes in SP4

(do you ?

)
[ducking and running away

]

danielp · #8 8th March 2004, 01:56

Urrrrrggggghhhhhhaaaaahhhhhhh....

Anyway, keep them coming, you're better in fishing than I am.

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Installing New Windows 2003 DC in an Existing Windows 2000 Forest	SoLo	Windows Server 2000 / 2003	6	23rd September 2006 22:52
OUtlook Express v6 - not retaining alternate SMTP account details	ajm	Misc	4	12th December 2005 20:28
USB keys for restricting local Admin account on servers	daz2300	Windows Server 2000 / 2003	1	30th November 2005 19:05
RIS Disables Local Admin Account	tonyyeb	Forgot Administrator Password	0	24th August 2005 12:57
Improving Password Policy Win2K Environment 200 WKST	joejiz	Active Directory	9	31st December 2004 19:49

	Contact Us - Petri.co.il forums - Archive - Top
Steel Blue 3.5.4 vBulletin Style ©2006 vBEnhanced		Powered by vBulletin® Version 3.8.4 Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.