| Author |
Message |
Ken Long
Guest
|
 Posted:
Fri Nov 11, 2005 5:50 pm Post subject:
Can't remove user from administrator group |
|
|
I'm having trouble removing a user from the local administrator group
on an older NT4 server. This server is a member server in our company
domain. The primary logon server is running Windows Server 2003 but
this member server is an old NT4 Server that had been demoted from PDC
during a recent upgrade.
In the past, I had to find a way to allow this user to log onto the
server console and run a utility when I wasn't around. After playing
with it for a few months, I had to finally add her to the local
administrator group or it just didn't work. This wasn't a problem so I
did it. Now that task has fallen onto the shoulders of someone else so
I need to remove the old user from the administrator group. Here are
the steps I'm doing:
1. Open User Manager for Domains on the NT4 member server.
2. Change the domain to the local server name so I'm working on the
local server only. (User, Select Domain...)
3. Open the Administrator group and remove the user from the group.
4. Close User Manager and re-open. The user is back in the group as if
I had never removed her.
I've checked to be sure she doesn't have some extra rights on the
Primary Logon Server but all is normal there. I suspect this might be
an unwanted side-effect from the demotion from PDC during the upgrade.
The account that keeps reappearing in the administrator group appears
to be a local user account, not a domain account, ie, it's shown as
simply username rather than Domain\username.
All thoughts welcome.
Ken Long
Albuquerque, NM
(Reply address works as is.) |
|
| Back to top |
|
 |
Steven L Umbach
Guest
|
| Posted:
Fri Nov 11, 2005 5:50 pm Post subject:
Re: Can't remove user from administrator group |
|
|
I don't have a NT4.0 computer to play with right now but here is what I
would do. Run the command net localgroup administrators on that server to
see if it shows the membership of the local administrators group and to make
sure that you are indeed logged on as a local administrator - preferably a
local user account. Then use the command net localgroup administrators
username /delete to see if that works or not or gives some sort of an error
message. I the user is a domain user then add the domainame to the front of
the users name as in domainname\username. I would also look in the
system/application/security logs to see if anything is reported there that
may provide a clue.
If worse comes to worse you could rename the old sam file, then delete it
and reboot the computer. This will create a new sam file that includes ONLY
built in groups/users and the administrator password would be blank. You
would have to do that from outside the operating system by placing the hard
drive in another computer as a secondary/slave or such. --- Steve
"Ken Long" <kenl@despammed.com> wrote in message
news:tta9n1htvfhq635ic9h57pc8jbciqso3hs@4ax.com...
| Quote: | I'm having trouble removing a user from the local administrator group
on an older NT4 server. This server is a member server in our company
domain. The primary logon server is running Windows Server 2003 but
this member server is an old NT4 Server that had been demoted from PDC
during a recent upgrade.
In the past, I had to find a way to allow this user to log onto the
server console and run a utility when I wasn't around. After playing
with it for a few months, I had to finally add her to the local
administrator group or it just didn't work. This wasn't a problem so I
did it. Now that task has fallen onto the shoulders of someone else so
I need to remove the old user from the administrator group. Here are
the steps I'm doing:
1. Open User Manager for Domains on the NT4 member server.
2. Change the domain to the local server name so I'm working on the
local server only. (User, Select Domain...)
3. Open the Administrator group and remove the user from the group.
4. Close User Manager and re-open. The user is back in the group as if
I had never removed her.
I've checked to be sure she doesn't have some extra rights on the
Primary Logon Server but all is normal there. I suspect this might be
an unwanted side-effect from the demotion from PDC during the upgrade.
The account that keeps reappearing in the administrator group appears
to be a local user account, not a domain account, ie, it's shown as
simply username rather than Domain\username.
All thoughts welcome.
Ken Long
Albuquerque, NM
(Reply address works as is.) |
|
|
| Back to top |
|
|
Roger Abell [MVP]
Guest
|
| Posted:
Sat Nov 12, 2005 9:50 am Post subject:
Re: Can't remove user from administrator group |
|
|
try lusrmgr instead of usrmgr (if I am remembering NT4 correctly)
or, on the NT4 member use
net localgroup administrators <username> /delete
where <username> is name of a member local account or is
domain qualified, domain\username, if a domain account
However, why not just disable and eventually delete the old
account ?? and the new person should be using their own
new account that has the privileges
--
Roger Abell
Microsoft MVP (Windows Server : Security)
MCDBA, MCSE W2k3+W2k+Nt4
"Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:uVqBTIu5FHA.1416@TK2MSFTNGP09.phx.gbl...
| Quote: | I don't have a NT4.0 computer to play with right now but here is what I
would do. Run the command net localgroup administrators on that server to
see if it shows the membership of the local administrators group and to
make sure that you are indeed logged on as a local administrator -
preferably a local user account. Then use the command net localgroup
administrators username /delete to see if that works or not or gives some
sort of an error message. I the user is a domain user then add the
domainame to the front of the users name as in domainname\username. I
would also look in the system/application/security logs to see if anything
is reported there that may provide a clue.
If worse comes to worse you could rename the old sam file, then delete it
and reboot the computer. This will create a new sam file that includes
ONLY built in groups/users and the administrator password would be blank.
You would have to do that from outside the operating system by placing the
hard drive in another computer as a secondary/slave or such. --- Steve
"Ken Long" <kenl@despammed.com> wrote in message
news:tta9n1htvfhq635ic9h57pc8jbciqso3hs@4ax.com...
I'm having trouble removing a user from the local administrator group
on an older NT4 server. This server is a member server in our company
domain. The primary logon server is running Windows Server 2003 but
this member server is an old NT4 Server that had been demoted from PDC
during a recent upgrade.
In the past, I had to find a way to allow this user to log onto the
server console and run a utility when I wasn't around. After playing
with it for a few months, I had to finally add her to the local
administrator group or it just didn't work. This wasn't a problem so I
did it. Now that task has fallen onto the shoulders of someone else so
I need to remove the old user from the administrator group. Here are
the steps I'm doing:
1. Open User Manager for Domains on the NT4 member server.
2. Change the domain to the local server name so I'm working on the
local server only. (User, Select Domain...)
3. Open the Administrator group and remove the user from the group.
4. Close User Manager and re-open. The user is back in the group as if
I had never removed her.
I've checked to be sure she doesn't have some extra rights on the
Primary Logon Server but all is normal there. I suspect this might be
an unwanted side-effect from the demotion from PDC during the upgrade.
The account that keeps reappearing in the administrator group appears
to be a local user account, not a domain account, ie, it's shown as
simply username rather than Domain\username.
All thoughts welcome.
Ken Long
Albuquerque, NM
(Reply address works as is.)
|
|
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in