I will look for it tomorrow. I have it at the office.
--
Regards, Willem
-----Oorspronkelijk bericht-----
Van: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Namens Eric Fleischman
Verzonden: zondag 29 februari 2004 16:20
Aan: [EMAIL PROTECTED]
Onderwerp: RE: [ActiveDir] [Slightly OT] Delete inhibit DOMAIN\Remote
Management group from local admins...
Ah hah! I love when my memory of old stuff that I haven't seen for a
loooooong time is right.
Willem do you happen to have the article that talks about it handy? I
couldn't track it down.
~Eric
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Willem Kasdorp
Sent: Sunday, February 29, 2004 9:15 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] [Slightly OT] Delete inhibit DOMAIN\Remote
Management group from local admins...
It's true. There is a XP post-SP1 hotfix for that. It works through
Member
Of, that no longer removes all members but just adds the one you need. I
believe it works by default on W2003. I just deployed that capability.
--
Regards, Willem
-----Oorspronkelijk bericht-----
Van: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Namens Eric Fleischman
Verzonden: zondag 29 februari 2004 2:40
Aan: [EMAIL PROTECTED]
Onderwerp: RE: [ActiveDir] [Slightly OT] Delete inhibit DOMAIN\Remote
Management group from local admins...
I sent mail to the GP experts to find out about this....I don't really
know, I'm kinda just rambling. I'll let you know what I find out.
~Eric
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Saturday, February 28, 2004 3:49 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] [Slightly OT] Delete inhibit DOMAIN\Remote
Management group from local admins...
I don't think so but it is definitely in the category of nice to have...
Sort of break it up into two things. 1. Always have this principal in
the
group. 2. Never allow this principal in the group.
But don't let this pull you away from that other little fun thing I
found...
I am really curious to hear the answer.
Thanks joe :o)
-------------
http://www.joeware.net (download joeware)
http://www.cafeshops.com/joewarenet (wear joeware)
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman
Sent: Saturday, February 28, 2004 3:59 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] [Slightly OT] Delete inhibit DOMAIN\Remote
Management group from local admins...
I'm not a group policy expert but Joe with this point:
> 3. Do something around restricted groups GPO though this is tough to
do
> when you want different admins on different boxes.
Can't you set restricted groups to do an 'add' rather than a 'replace'?
I thought that was a w2k sp4 / xpsp1 / 2003 change that was made. If
there
is doubt that I can dig up some documentation on it....I'd swear I read
this
before but it has been a while.
~Eric
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Friday, February 27, 2004 10:56 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] [Slightly OT] Delete inhibit DOMAIN\Remote
Management group from local admins...
You can't stop them from removing it.
I would think to use one of several solutions once it is removed
however. I
will let you pick.
1. Have a script that watches for the removal of your group from the
local
admins group. If it occurs, the machine gets kicked out of the domain.
They
should get the hint shortly.
2. Have a startup script from a GPO put the group back in the admins
group
every time the machine reboots.
3. Do something around restricted groups GPO though this is tough to do
when
you want different admins on different boxes.
4. Set up a special service that monitors that group and makes sure the
remote management group is always there. You could write it to be fast
enough to put it back before their command that removes it returns from
removing.
When you are an admin of a box it is very difficult to be stopped from
doing
things on the box.
-------------
http://www.joeware.net (download joeware)
http://www.cafeshops.com/joewarenet (wear joeware)
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Todd Povilaitis
Sent: Friday, February 27, 2004 6:02 PM
To: ActiveDir (E-mail)
Subject: [ActiveDir] [Slightly OT] Delete inhibit DOMAIN\Remote
Management
group from local admins...
We have a few developers where their domain user account is a member of
Local Admins group. With this privilege, some have elected to delete
the
DOMAIN\Remote Management group from the Local Admins group. Among other
things, this interferes with maintenance routines utilizing WMI and or
Remote Scripting. Is there any to delete inhibit DOMAIN\Remote
Management
group from Local Admins?
__________________
Todd Povilaitis
LAN Administrator
Huntington Hospital
[EMAIL PROTECTED]
Phone: (626) 397-3392
Fax: (626) 397-2901
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
