re-add domain admins to member workstation local admin group

[wallst32]

I have a domain where most users have local administrator rights on their domain member workstations. Some of these users have removed domain admins from the local administrator group of their own workstation.

I know you can use a login script to add domain admins back; but are there any other methods? I'd like to be able to push the domain admin group back into place when the workstations are online if possible w/o requiring the user to have to logon and execute a login script.

 

[gmail2]

If you done it through startup script, then the users woudln't have to login - the script would run when the machine is started up and the users would never know.

A better method however would be to use restricted groups in GPO. This means that you can force the membership of local groups through GPO. Every time group policy is processed, it will overwrite the membership with whatever you specified in the policy.

If your users have local admin rights on just their own machines, and you want to keep this, restricted groups will not work though, and you'll have to use script instead.

However, unless you have good cause not to, I would recommend removing your users local admin rights. If they're already clever enough to have removed domain admins from the local administrators group, then they've probably done other malicious stuff you don't want them to do. And could have unknown numbers of malware and software that you don't want. But that's a subject for another thread I think

Irish Poetry - Karen O'Connor
Irish Poetry and Short Stories - Doghouse Books
Garten und Landschaftsbau