My Windows Vista work computer is a member of a domain. The domain administrators have set up a group policy that keeps adding them as Administrators of my computer every night.
Is there a way I can prevent this from happening? I am an Administrator on the computer.
These are serious answers:
You can't change group policy: it can override local settings or not be overridden. Domain admins trump local admins in AD
But why?
There is no (useful) way. This isn't however a technical problem at all but a policy problem (if a problem at all). Take it up with your administrators and your boss. Ask them why and they should explain.
This behaviour is a default policy by the way.
Yes, you can. There are a number of ways at your disposal. A few ideas:
Delete their local admin. Add your own local admin user with the same username but a different password. The GPO addition will assume the user is already there and not make any changes.
Update registry permissions to remove access to any of the several keys required to add a user. Mark Russinovich describes procedures on his blog.
Edit the NTFS permissions on the directory where the group policy objects are cached. (this, of course, will break all GPOs, not just the local admin...)
bottom line: as a local admin, you can do anything. In order for Group Policy to work and for the GPO to add a local user, it must do something. Break any part of that something and you've found your solution.
Of course, just because you can, but that doesn't mean you should. I was an IT guy, users did this to me, and it's irritating. It's a policy issue and should be handled via non-technical means.