Add domain admin back to local admin

Archived from groups: microsoft.public.win2000.security (More info?)

Well assuming the computer is still a member of the domain you could use a
Group Policy startup script with the net localgroup command but the best way
would probably be to use Group Policy Restricted Groups. There are two ways
to use Restricted Groups - with members or member of. If you specify members
then only the members you specify will be in the local administrators group.
If you use "member of" in Windows 2000 Service Pack 4 then group/users you
specify will become member of designated group. Be sure to try this at the
Organizational Until level only so as to not affect domain controllers and
domain administrators membership. I would create an OU with a GPO linked to
it with Restricted Groups configured and then move the computers into that
OU that you want to enforce Restricted Groups on. Then the next time the
Group Policy refreshes in those computers the Restricted Groups will apply
which may take up to two hours as the default Group Policy refresh interval
for a computer is 90 minutes with a 30 minute random offset. Rebooting the
computer should cause the policy to refreshed at computer startup. The links
below may help. --- Steve

http://msdn.microsoft.com/library/ [...] gp/611.asp
http://support.microsoft.com/defau [...] -us;228496
http://support.microsoft.com/defau [...] -us;810076

"Robin Hood" <Robin Hood@discussions.microsoft.com> wrote in message
news:6F2ABE0A-013B-4F25-9A6E-993306AE9161@microsoft.com...
> How can I remotely, without the users knowledge, add the domain admin back
> to
> the local administrators group?
>
> Thanks