Link to home
Start Free TrialLog in
Avatar of farmer9000
farmer9000

asked on

As an sys admin I need access to all computers.

I maintain a small Active Directory OU of some 500 to 600 machines. Most of these machines stay in place for about a year. The problem starts when new machines come in and are added to my OU. They come from many different locations and thus have been built by a variety of different peopel with a wide variety of different ideas on who should and should not have access to the local box. (Sorry for the long sentence..but... I must have the ability to monitor and modify these machines in order to insure that we have the highest level of security; updates; patches; and no and I do mean NO! unauthorized software and other stuff. (Tuff job, but someone...)
I am not a PC tech. I need a resource that can help me understand what some of these other guys have done to block me from getting to ..say, local users and groups; or deny "Remote Desktop Connection" or deny " Symantec to unto update".  You get the picture. Can anyone help be get started on this. I would like an answer that involves the use of   AD GPO's, then when they go away, they can have their machine back.
I have been althrough the local Group Policies and can not find anything that looks suspect.
Thanks, Rick
ASKER CERTIFIED SOLUTION
Avatar of Rich Rumble
Rich Rumble
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of farmer9000
farmer9000

ASKER

Thanks, in a perfect world or even a near perfect world I totally agree. But, the Army is not a perfect world. I have a GPO that adds the Domain Admin account to the  local administrator on all the machines that are on the network but I am still restricted on some of them. I am sure it is local policies that at preventing me access.  I can not do any of the other items because of different MFG's and age of machines, wide variety of 3rd party software; re-image is out, too too many different drivers needed and 3rd party support required. The only saving grace is that all machines have to be Windows XP Pro. (OK, maybe a couple of Win2K)
I was hoping someone would come up with a scrit that would reset all the local policies to a default setting with minimum security. I have enough network security to not be concerned about local settings.
GP's take precedance over local poicies: http://www.securitydocs.com/library/3198/2
First, the local GPO applies. Although this GPO resides directly on the computer that it will configure, it has the least priority when compared with the other AD GPOs.
http://www.microsoft.com/technet/prodtechnol/windows2000serv/maintain/operate/04w2kada.mspx

You may need to make a GPO that re-adds the domain admin's to the local admin group of the machines I suppose.
-rich