ensure domain admin always has admin rights to client ?

[scott]

Hi,

How can I use windows 2000 domain policy to ensure that the domain
administrator always has administrative rights to all 2000 pro and XP pro
domain clients ?

NOTE: all users have local admin rights to their machine only. This means
they can delete accounts from the local client user list easily. I figure
that repopulating the local client list at the point of domain policy
application would do the job.

Thanks
Scott.

 

[Torgeir Bakken (MVP)]

How can I use windows 2000 domain policy to ensure that the domain
administrator always has administrative rights to all 2000 pro and XP pro
domain clients ?

NOTE: all users have local admin rights to their machine only. This means
they can delete accounts from the local client user list easily. I figure
that repopulating the local client list at the point of domain policy
application would do the job.

Hi

Here are two methods that can be used:


1.) Restricted Groups enforced with Group Policy

http://groups.google.com/[email protected]

How to Configure a Global Group to Be a Member of the Administrators Group on
all Workstations
http://support.microsoft.com/default.aspx?scid=kb;en-us;320065


Because you have different users in the Administrator group, this method isn't
really an option for you.


2.) Do it through a Group Policy computer logon script (not user logon script)
using a bat file or a vbs file.

This script will always run in the system context, so it will have local admin
rights (but no implicit network access rights).