Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Domain Users/Admin lose Local Admin and Remote Desktop permissions

Posted on 2008-06-12
2
Medium Priority
?
616 Views
Last Modified: 2013-11-21
Got a odd one I think.  I have a medimum sized network with several windows 2003 server and XP Pro SP2 PCs.  3 DCs, 2 Exchange, 4 Web Servers/Services and several File and SQL servers.  Up until yesterday afternoon everything was good.  We have several custom apps where domain users need to be in the local admin group to run specific apps.  Admins have their own domain admin account and domain user accounts.
  We just installed 2 Trigio servers and were informed that we needed to push the remote agent to the DCs to support training next week.  We pused as directed by the trainer, ok first mistake pushed to production boxes, but experienced issues.  Eventually installed via CD.  After a few hours we noticed that individual domain admin accounts could not RDP on to the 3 DCs but could still RDP to other domain servers.  This morning backups on 8 servers failed with authentication errors.  We created a seperate backupexec account with appropriate permissions to conduct backups.  Again it appears that the backupexec account has been removed from the local admin and backup groups on the individual servrs.
  We noticed that users who logged off or shutdown there computers were the one who lost local admin right but those who just locked their work station did not.  So it appears like a GPO issue.  I have checked the restricted groups GPO but it appears fine.  Any other ideas?
0
Comment
Question by:sbsitech
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 2

Accepted Solution

by:
geedoubleu earned 750 total points
ID: 21772357
Removing accounts from groups can be done by vbscript and other programs, but a GPO is more likely.

Use the GPO results Wizard to show exactly what settings are being applied, including any local GPO's.

Also check any security applications you are running that are "helpfully" restricting group membership.
eEye Retina Scanner is a classic example of a application that can do this.
0
 

Author Comment

by:sbsitech
ID: 21817999
Ran results wizard and found that the administrator entry in the restricted groups GPO had no entires which was the problem.  deleted administrator from restriced groups and added domian admins to local admins groups and things are humming along.  Thanks

Jim
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question