Unable to add/remove members of local Admin group

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Hello Microsoft,

I have a few machines where someone has hacked the system to prevent changes
to the local administrators group. If logged in as Administrator, I get an
Access Denied when attempting to add or remove members from the
Administrators group. The Winlogon.log file also generates an "Access Denied"
line when our GPOs try to apply Restrictive Groups, which fail.

Does anyone know where how or what was done to accomplish this?
Or what I can do to correct this?
I could simply pull these systems off the network, however I would like to
attempt to create a network wide solution so that others, with local
administrative rights, wont be able to duplicate this. I also can't be sure
how many are currently affected

Does anyone know of any tools or utilities where I can scan the registry
and/or file system to find where default permissions may have been modified?

Thanks
 
Drew said:
I have a few machines where someone has hacked the system to prevent changes
to the local administrators group. [...]
Click to expand...

Back up documents, erase the disk, reinstall. It's the only way to be sure the
system is back in proper working order. Perhaps you should interview the person
or persons who might have been responsible first in case there is some other
reason why this isn't working.
I could simply pull these systems off the network, however I would like to
attempt to create a network wide solution so that others, with local
administrative rights, wont be able to duplicate this.
Click to expand...

There is no way you can prevent people with administrative rights from messing
up the system one way or another. If you can't trust them, you can't afford to
give them administrative rights. If you are obliged to like it or not, you may
have to resign yourself to frequent reinstallations - or perhaps just resign. :-)

Harry.
 
It can be pretty trivial for any user who has physical access to a computer
to become administrator or otherwise alter the operating system particularly
if the computer can be booted from anything other then the system hard
drive. It may help to password protect cmos settings of the computers and
configure cmos to only boot from the system drive. If the users are already
local administrators by design then it is a losing battle to expect that
computers will not be modified or compromised. You may also want to review
or create a computer user policy that prohibits unauthorized modifications
to the operating system though such policies will not be effective if that
do not have stated consequences that are not enforced.

Steve
 
Back
Top