I have one user who has locked down his pc.

We about to let him go very quitely but before I want to change his local
admin password.

It seems no matter what I try he locked out the domain admin even from ads I
can not add myself as local admin or rdphis desktop

Is there anyway to take over the pc from ADS or remote so I can change the
password?

franku wrote:
Use restricted groups group policy to enforce the domain admins membership
of his local administrators group.

http://technet.microsoft.com/en-us/library/cc756802.aspx

Hi
If the machine belongs to your domain, you can enforce the Domain Admin in
his PC using GPO Restriction Group Policy. If he removes the Domain Admin
from local administrators security group, that configuration (which is the
default-The Domain Admins by default belong to the Local Administrators)
will be replaced in the next GPO refresh.

Now, there're some ways to run away from that, but if I were you I would
talk to that guy first or check his Workstation to check what's going on and
why is he locking you out from his workstation, then explain him the company
policy and why things are supposed to work has planned.

Remember that even if you change the Local Administrator's password, is very
easy to revert that action to that user that will have full control again of
his workstation. Most iimportant is to follow your company policy and
warning him about the consequences if he does not follow them.
Show quoteHide quote

franku <fra***@discussions.microsoft.com>, posted the following:
Restricted groups, as already mentioned, will do the trick, provided the
machine is still a domain member.

If he removed the machine account from AD, then I would imagine to wait for
him to go home for the day, remove him from domain admins, and/or local
admins, apply restricted groups, so you have full control of the machine and
he can no longer make changes. If he complains, remind him what Jorge
mentioned: Company policy and consequences.

Maybe it's time to let him go sooner than you would have liked to?

Howdie!

Ace Fekay [Microsoft Certified Trainer] wrote:
Yeah. Another reason why people should run as admins of their machines.
It actually doesn't ease the management pain on the machines, it
sometimes makes it harder to push a common config or enforce a valid
configuration throughout all clients. Specially when people think they
need to be gods on their machines and shut it down.

Hum... that leads me to a good idea: why not write a bill for the
machine and let the user pay for it? Since he locked it down, he might
wanna take it home and use it there, privately?

Cheers,
Florian

Florian Frommherz [MVP] <flor***@frickelsoft.DELETETHIS.net>, posted the
following:

<snipped>

I agree, Florian!!!

Ace

Hello franku,

As suggested from the other, Restricted groups will do it. And also i would
remove the users the local admin rights, no need that they have them. Software
runs without being local admin, if problems exist they can be evaluated with
"Process Monitor" from sysinternals and then you can configure the needed
permissions on the folders/files or registry.

Process Monitor v2.03
http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


Show quoteHide quote

seemingly simple question: Customized Signature in MS Outlook 2007
DC Logins? Help :)
Error 6702
New AD installation issue
User Account Lockout
AD newbie Question
search by owner
Issues Possibly From Joining a Domain
Network drive mapping
Lease Change Via GPO