[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 382
  • Last Modified:

Domain Admin is removed from the group administrators in a machine.How do i enter

Hi,

Domain Admin is removed from the group administrators in a machine.How do i enter.

I want to connect through Mstsc,C$

How do i do...

Regards
Sharath
0
bsharath
Asked:
bsharath
  • 15
  • 7
  • 6
  • +3
3 Solutions
 
SmithJWCommented:
Easiest way is probably to use the computer management console from Administrative Tools (On any computer, whilst logged in as admin) and then goto 'Actions' | 'Connect to another computer'.

From there, I beleive you can add the Domain Administrator back to the Administrators group.
0
 
bsharathAuthor Commented:
I check that even then not able to access any of them...
Groups,shares very thing shows 'Permission denied"

I am logging from a machine that has Domain admin credentials.
0
 
DarylxCommented:
If the domain admins group isn't a member of the local admins group on the machine, you won't be able to access the machine using a domain admin account (it has no rights on the machine).  You'll need to log on to the machine using the local administrator account or any other account on the machine that has admin rights.
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
bsharathAuthor Commented:
Is there any other way to force from ADS...
I dont have any access on the machine.Domain\admin\local admin\user accounts which has admin priveledges nothing works...
0
 
DarylxCommented:
Have you tried logging in as the local administrator?  Don't forget to select 'local machine' in the login box.
0
 
bsharathAuthor Commented:
Yes i tried even that...But no help...
0
 
DarylxCommented:
What do you mean "no help"?  Were you able to log in?
0
 
bsharathAuthor Commented:
No i wasnt able to login...
0
 
DarylxCommented:
You could set a restricted groups GPO in Active Directory.

http://www.windowsecurity.com/articles/Using-Restricted-Groups.html
0
 
jmcfeedCommented:
Try to login at some kind of Linux distribution. For example, the latest Live of your preferred distribution.
I really doubt this could help creating a new account, but maybe you're able to backup your user files and reinstall server again.

There's no need to install Linux. As I said, a full Live of, for example, Ubuntu, could help.
0
 
bsharathAuthor Commented:
By creating a restricted group all the existings users that are in the Administrator group will be removed and the new settings will be added.Is there a way that the existing remain the same and the new restricted groups members be added as well.
0
 
bsharathAuthor Commented:
When will these settings take place?
After the restart.
Can we force it to immediately take affect .Any way to force it from ADS...
0
 
DarylxCommented:
Rebooting the PC will apply the settings.
0
 
bsharathAuthor Commented:
By creating a restricted group all the existings users that are in the Administrator group will be removed and the new settings will be added.Is there a way that the existing remain the same and the new restricted groups members be added as well.
0
 
DarylxCommented:
You can't use restricted groups to add users and keep the current users.  If there are other accounts in the administrators group, why not just ask one of them to log in and add the domain admins group?
0
 
Farhan KaziSystems EngineerCommented:
>> By creating a restricted group all the existing users that are in the Administrator group will be removed and the new settings will be added

Use "Member Of" Restricted Group Portion of Policy.
By using this only inclusion is enforced. The Restricted Group is not removed from other groups. It makes sure that the restricted group is a member of groups that are listed in the Member Of dialog box.

0
 
bsharathAuthor Commented:
Farhan so in the Restrict group i need to create a group called " Something group" and then add the Domain admin as the member of in it....Is it correct...
0
 
tigermattCommented:
If the Domain Admins group is removed from the local Administrators group on the machine then you can't connect to it through a domain account with Domain Admins privileges. This is for the simple reason that permissions on the machine are granted to the local administrators account, so the Domain Admins group needs to be a member of this group to inherit its permissions.

In the restricted group you can add the Domain Admins group straight off, no need to add a group in between.

-tigermatt
0
 
Farhan KaziSystems EngineerCommented:
Once at the Restricted Groups node, you will right-click on it and select Add Group. Enter the Group name "Administrators". After you create the group, it will show up in the right hand pane under the Group Name column. Now double-click the group name that you created under Restricted Group node. This will open up the group Properties sheet. Then, you will click the Add button for the *** "This group is a member of" *** section of the form. Now add "Domain Admins" in the list.


0
 
bsharathAuthor Commented:
Many of them remove the Domain Admin from the Administrator Group.So it becomes difficult to ask them or login with there credentials and then give permissions.As many even change the local Administrator password.
So is there a permenent solution.Thas the restricted group.When given if the user removes also they come back.
But the users have administrator rights in the local machine so when i update the users with the restricted groups it will remove the other users also...
Any way to leave them and update the Domain admin alone. without changing any thing
0
 
bsharathAuthor Commented:
Farhan...To just confirm will this not remove the other users that are inside the local machines administrator group.?
After i do this how can i force this to replicate immediately...
0
 
Farhan KaziSystems EngineerCommented:
See what M$ says about this:
Using the "Member Of" Restricted Group Portion of Policy
Only inclusion is enforced in this portion of a Restricted Group policy. The Restricted Group is not removed from other groups. It makes sure that the restricted group is a member of groups that are listed in the Member Of dialog box.

http://support.microsoft.com/kb/279301
0
 
bsharathAuthor Commented:
As for this senario i need to add the Domain admin into Administrator.
So
I need to create a group called Administrator. And add Domain Admin's?

Ex:

So if for some other reason i need to remove all users from the groups "Sophos Administrator"
I need to create a Group in Restricted group called "Sophos Administrator" as blanks so that all members will be removed in the local machines groups "Sophos Administrator"

0
 
tigermattCommented:
I'm not sure whether there's a way of setting it in this situation so that existing settings will be kept. Since we must make the Domain Admins group a member of the local Administrators group (it wouldn't work the other way around, since we want Domain Admins to inherit local Administrators group permissions). As detailed at this site: http://www.windowsecurity.com/articles/Using-Restricted-Groups.html by the "Members of this group" image, anything you set there will replace what is already configured.

Of course, the other way of sorting this out if your users have Admin rights is run a logon script which says
net localgroup administrators "Domain Admins" /ADD
Since your users have local Administrator privileges they will have the rights to execute this.

-tigermatt
0
 
tigermattCommented:
>>> So if for some other reason i need to remove all users from the groups "Sophos Administrator"
I need to create a Group in Restricted group called "Sophos Administrator" as blanks so that all members will be removed in the local machines groups "Sophos Administrator"


Correct.
0
 
bsharathAuthor Commented:
Tigermatt now i am again confused...:)

You say that leaving the existing users in the administrator group i cannot add the Domain admin to the "Administrator" Group.
I need to add the Domain admin as well dont want to delete the members in the group...

As per Farhan's statement this can be done...
Farhan can you comment please...
0
 
tigermattCommented:
I'm sorry for confusing you!

According to this website (http://www.windowsecurity.com/articles/Using-Restricted-Groups.html), you cannot use the "Members of this group" section of a restricted group to add a user/group to the list. Instead, what you define there replaces the individually defined settings.

Taking this in to account:
-We must use the "Members of this group" to overcome this problem. Using the other one, "This group is a member of" will not solve the problem, since we need the Domain Admins group to inherit the local Administrators group permissions.
-Therefore, because the permissions need to be inherited down from the Administrators group, we have to use the "members of this group" side of things.

You could show this like this, I suppose:

local Administrators group (this has the permissions we want to inherit)
     -Domain Admins group (will inherit permissions as group above it)

Sorry for confusing you!
-tigermatt
0
 
Farhan KaziSystems EngineerCommented:
With Member Of, the Restricted Group is NOT removed from other groups, but it is added if missing.

Ref: http://www.jsifaq.com/SF/Tips/Tip.aspx?id=3251
0
 
bsharathAuthor Commented:
No problem Tigermatt.
The above link which Farhan posted related to MS says we can add the Domain admin without disturbing the other users...That's why was confused...

Thanks a lot for the help...

I shall keep the post open for Farhans comments also...
0
 
bsharathAuthor Commented:
As for this senario i need to add the Domain admin into Administrator.
So
I need to create a group called Administrator. And add Domain Admin's?

So the Administrator group in all local machines will be added with Domain admin's
0
 
tigermattCommented:
Yes, create Administrators then add the Domain Admins group.
0
 
Farhan KaziSystems EngineerCommented:
FROM: http://support.microsoft.com/kb/810076

In earlier versions of Windows, if a domain controller processes a Restricted Groups policy in which the Members section is left blank, all members are purged from the group when the policy is applied, regardless of the setting for Member of. ......

The behavior in Windows 2000 SP4, Windows XP with Service Pack 2 (SP2), and Windows Server 2003 has been corrected. On a computer that is running one of these versions of Windows, if you apply a Restricted Groups policy that defines Member of but leaves Members blank, the Members section is ignored, and group membership is not emptied.
0
 
tigermattCommented:
My apologies for the confusion I caused here, thinking about it and looking at the evidence farhan is correct! :-)
0
 
Farhan KaziSystems EngineerCommented:
I would suggest to create a Test OU and add one or two computers accounts and apply this policy. It will clear all your doubts.
0
 
bsharathAuthor Commented:
Ok Thanks to both and others to help me..

How can i force the changes to take place immediately from the server side.
0
 
tigermattCommented:
This has to be done with a gpupdate /force at the client. There are ways to do it remotely (http://www.windowsecurity.com/articles/How-Force-Remote-Group-Policy-Processing.html), but unfortunately it requires you to be a member of the local Administrators group. Conveniently, this update does just that!

:-(

-tigermatt
0

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

  • 15
  • 7
  • 6
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now