Man! You guys are good :) Thanks for digging this up.
Sincerely,
Dèjì Akómöláfé, MCSE MCSA MCP+I
Dèjì Akómöláfé, MCSE MCSA MCP+I
Microsoft MVP - Active Directory
www.akomolafe.com
www.iyaburo.com
Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon
www.akomolafe.com
www.iyaburo.com
Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon
From: Free, Bob
Sent: Sun 2/29/2004 1:26 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] [Slightly OT] Delete inhibit DOMAIN\Remote Management group from local admins...
Eric Fleischman <mailto:[EMAIL PROTECTED]> wrote:
> Willem do you happen to have the article that talks about it handy? I
> couldn't track it down.
This one?
810076 - Updates to Restricted Groups ("Member of") Behavior of
User-Defined Local Groups:
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q810076
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Willem
> Kasdorp Sent: Sunday, February 29, 2004 9:15 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] [Slightly OT] Delete inhibit DOMAIN\Remote
> Management group from local admins...
>
>
> It's true. There is a XP post-SP1 hotfix for that. It works through
> Member
> Of, that no longer removes all members but just adds the one you
> need. I believe it works by default on W2003. I just deployed that
> capability.
>
>
>> 3. Do something around restricted groups GPO though this is tough to
>> do when you want different admins on different boxes.
>
> Can't you set restricted groups to do an 'add' rather than a
> 'replace'? I thought that was a w2k sp4 / xpsp1 / 2003 change that
> was made. If there
> is doubt that I can dig up some documentation on it....I'd swear I
> read this
> before but it has been a while.
>
> ~Eric
>
>
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of joe
> Sent: Friday, February 27, 2004 10:56 PM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] [Slightly OT] Delete inhibit DOMAIN\Remote
> Management group from local admins...
>
> You can't stop them from removing it.
>
> I would think to use one of several solutions once it is removed
> however. I
> will let you pick.
>
> 1. Have a script that watches for the removal of your group from the
> local
> admins group. If it occurs, the machine gets kicked out of the domain.
> They
> should get the hint shortly.
>
> 2. Have a startup script from a GPO put the group back in the admins
> group
> every time the machine reboots.
>
> 3. Do something around restricted groups GPO though this is tough to
> do when
> you want different admins on different boxes.
>
> 4. Set up a special service that monitors that group and makes sure
> the remote management group is always there. You could write it to be
> fast enough to put it back before their command that removes it
> returns from removing.
>
>
> When you are an admin of a box it is very difficult to be stopped from
> doing
> things on the box.
>
>
>
> -------------
> http://www.joeware.net (download joeware)
> http://www.cafeshops.com/joewarenet (wear joeware)
>
>
>
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Todd
> Povilaitis Sent: Friday, February 27, 2004 6:02 PM
> To: ActiveDir (E-mail)
> Subject: [ActiveDir] [Slightly OT] Delete inhibit DOMAIN\Remote
> Management
> group from local admins...
>
> We have a few developers where their domain user account is a member
> of Local Admins group. With this privilege, some have elected to
> delete the
> DOMAIN\Remote Management group from the Local Admins group. Among
> other things, this interferes with maintenance routines utilizing WMI
> and or Remote Scripting. Is there any to delete inhibit DOMAIN\Remote
> Management
> group from Local Admins?
>
> __________________
> Todd Povilaitis
> LAN Administrator
> Huntington Hospital
> [EMAIL PROTECTED]
> Phone: (626) 397-3392
> Fax: (626) 397-2901
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
