none
Persistent Administrator Restrictions via Group Policy RRS feed

  • Question

  • Hello, 

    I was attempting to prevent my users from installing rogue software on their workstations via GPO.  I created a restricted group "Administrators" and then added the Domain Admins to the "This group is a member of:" section.  Now my workstation doesn't have any admin privileges.  I tried deleting the newly created restricted group GPO, but I'm still locked out.  Unfortunately I don't know enough to give any more specifics.  Any suggestions are greatly appreciated.   


    • Edited by NBSChang Saturday, June 23, 2012 12:12 AM
    Friday, June 22, 2012 4:43 PM

Answers

  • Hello,

    use another enterprise admin account and remove the settings, then reboot the machine.

    And you are NOT able to restrict the domain admins, every configured setting can be reverted as they are domain admin.

    Domain users should NEVER be local admin and for sure NOT daomin admin.


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    Monday, June 25, 2012 6:28 AM
  • Hi,

    Agree with Meinolf, we could try to use another account belongs to Enterprise Admins to revert the settings.  

    Please understand that members of Domain Admins have full control of the domain. By default, this group is a member of the Administrators group on all domain controllers, all domain workstations, and all domain member servers at the time they are joined to the domain. By default, the Administrator account is a member of this group. Because the group has full control in the domain, add users with caution.

    If you want to prevent users from installing software, I suggest we try to use the Software Restriction Policies via GPO. For details, please refer to the following articles.

    How To use Software Restriction Policies in Windows Server 2003

    http://support.microsoft.com/kb/324036

    How Software Restriction Policies Work

    http://technet.microsoft.com/en-us/library/cc786941(v=WS.10).aspx

    Regards,

    Andy

    Monday, June 25, 2012 7:23 AM
    Moderator

All replies

  • Hello,

    use another enterprise admin account and remove the settings, then reboot the machine.

    And you are NOT able to restrict the domain admins, every configured setting can be reverted as they are domain admin.

    Domain users should NEVER be local admin and for sure NOT daomin admin.


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    Monday, June 25, 2012 6:28 AM
  • Hi,

    Agree with Meinolf, we could try to use another account belongs to Enterprise Admins to revert the settings.  

    Please understand that members of Domain Admins have full control of the domain. By default, this group is a member of the Administrators group on all domain controllers, all domain workstations, and all domain member servers at the time they are joined to the domain. By default, the Administrator account is a member of this group. Because the group has full control in the domain, add users with caution.

    If you want to prevent users from installing software, I suggest we try to use the Software Restriction Policies via GPO. For details, please refer to the following articles.

    How To use Software Restriction Policies in Windows Server 2003

    http://support.microsoft.com/kb/324036

    How Software Restriction Policies Work

    http://technet.microsoft.com/en-us/library/cc786941(v=WS.10).aspx

    Regards,

    Andy

    Monday, June 25, 2012 7:23 AM
    Moderator