Administrators Group members

[Guest]

I have a ghost account which is a member of the administrators group. Every
so often, it disappears. Does anyone have any suggestions why this could be
happening?

 

[Cary Shultz [A.D. MVP]]

Karen,

What do you mean by 'ghost' account?

--
Cary W. Shultz
Roanoke, VA 24012
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com

 

[Guest]

It's just a user account which we use to clone client systems. I've tried
removing it and recreating it but every so often it simply disappears. We
have thousands of user accounts but this is the only one that removes itself
from a group.

 

[Enkidu]

There is a Security Policy setting called "Restricted
Groups". One of the groups so controlled is Adminstrators
group. The security policy sets the members of that security
group. If the security policy is applied and the membership
of the group is changed, then you observe just what you have
observed, the group member will disappear.

http://www.microsoft.com/windows200...00/en/advanced/help/sag_SCErestrictgroups.htm

(Pse excuse the long URL and watch for wrapping!)

Cheers,

Cliff

 

[Guest]

Thanks but unfortunately this is not the case. I've checked and its still
the default with no groups added to the restricted groups. Any other
idea's???

thanks again

 

[Enkidu]

What did you check? The "Default Domain Controllers Policy"
should show a number of groups and a number of members in them.

Cheers,

Cliff

 

[Guest]

Yes I checked the "Default Domain Controllers Policy". This didn't have any
groups listed in the restricted groups. I read on an MS document that by
default it doesn't add any groups its upto the administrator to make use of
this policy.

 

[Enkidu]

If this is so, and I don't remember it being so, then I
suggest that you create a new policy, add the administrators
group to that and add the required account to that in the
policy, then apply.

But first check the GPO that is actually applied, not what
is in the default policy.

I am not able to access a Domain Controller or Domain at
this juncture, so I'm unable to check. It's not an area that
I am particularly familiar with either!

However, I'm convinced that your problem is in this area.

Cheers,

Cliff

Yes I checked the "Default Domain Controllers Policy". This didn't have any
groups listed in the restricted groups. I read on an MS document that by
default it doesn't add any groups its upto the administrator to make use of
this policy.

: