I'd like to see that documentation as well - I've not heard of that change.
-------------------------------------------------------------- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. > -----Original Message----- > From: Willem Kasdorp [mailto:[EMAIL PROTECTED] > Sent: Sunday, February 29, 2004 10:15 AM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] [Slightly OT] Delete inhibit > DOMAIN\Remote Management group from local admins... > > > > It's true. There is a XP post-SP1 hotfix for that. It works > through Member > Of, that no longer removes all members but just adds the one > you need. I > believe it works by default on W2003. I just deployed that > capability. > > -- > Regards, Willem > > -----Oorspronkelijk bericht----- > Van: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Namens Eric Fleischman > Verzonden: zondag 29 februari 2004 2:40 > Aan: [EMAIL PROTECTED] > Onderwerp: RE: [ActiveDir] [Slightly OT] Delete inhibit DOMAIN\Remote > Management group from local admins... > > I sent mail to the GP experts to find out about this....I don't really > know, I'm kinda just rambling. I'll let you know what I find out. > > ~Eric > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of joe > Sent: Saturday, February 28, 2004 3:49 PM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] [Slightly OT] Delete inhibit DOMAIN\Remote > Management group from local admins... > > I don't think so but it is definitely in the category of nice > to have... > Sort of break it up into two things. 1. Always have this principal in > the > group. 2. Never allow this principal in the group. > > But don't let this pull you away from that other little fun thing I > found... > I am really curious to hear the answer. > > Thanks joe :o) > > > ------------- > http://www.joeware.net (download joeware) > http://www.cafeshops.com/joewarenet (wear joeware) > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Eric > Fleischman > Sent: Saturday, February 28, 2004 3:59 PM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] [Slightly OT] Delete inhibit DOMAIN\Remote > Management group from local admins... > > I'm not a group policy expert but Joe with this point: > > > 3. Do something around restricted groups GPO though this is tough to > do > > when you want different admins on different boxes. > > Can't you set restricted groups to do an 'add' rather than a > 'replace'? > I thought that was a w2k sp4 / xpsp1 / 2003 change that was made. If > there > is doubt that I can dig up some documentation on it....I'd > swear I read > this > before but it has been a while. > > ~Eric > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of joe > Sent: Friday, February 27, 2004 10:56 PM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] [Slightly OT] Delete inhibit DOMAIN\Remote > Management group from local admins... > > You can't stop them from removing it. > > I would think to use one of several solutions once it is removed > however. I > will let you pick. > > 1. Have a script that watches for the removal of your group from the > local > admins group. If it occurs, the machine gets kicked out of the domain. > They > should get the hint shortly. > > 2. Have a startup script from a GPO put the group back in the admins > group > every time the machine reboots. > > 3. Do something around restricted groups GPO though this is > tough to do > when > you want different admins on different boxes. > > 4. Set up a special service that monitors that group and > makes sure the > remote management group is always there. You could write it to be fast > enough to put it back before their command that removes it > returns from > removing. > > > When you are an admin of a box it is very difficult to be stopped from > doing > things on the box. > > > > ------------- > http://www.joeware.net (download joeware) > http://www.cafeshops.com/joewarenet (wear joeware) > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Todd > Povilaitis > Sent: Friday, February 27, 2004 6:02 PM > To: ActiveDir (E-mail) > Subject: [ActiveDir] [Slightly OT] Delete inhibit DOMAIN\Remote > Management > group from local admins... > > We have a few developers where their domain user account is a > member of > Local Admins group. With this privilege, some have elected to delete > the > DOMAIN\Remote Management group from the Local Admins group. > Among other > things, this interferes with maintenance routines utilizing WMI and or > Remote Scripting. Is there any to delete inhibit DOMAIN\Remote > Management > group from Local Admins? > > __________________ > Todd Povilaitis > LAN Administrator > Huntington Hospital > [EMAIL PROTECTED] > Phone: (626) 397-3392 > Fax: (626) 397-2901 > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > > List info : > http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
