• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 190
  • Last Modified:

Domain User -- Local Admin Group

Hi all,

Recently I have upgraded my windows NT domain to windows 2003 Domain. Everything is fine, and windows98 and windows 95 are giving me expected problems.

But recently I have problem adding domain user into local admin group. I used both GUI method and also Dos command method to add the domain user into my local admin group. Domain users are successfully added to the local admin group, but after over a night ( or maybe earlier.. not sure the timing) all the domain users were removed from local group.

Anyone faced this problem before? any default GPO will force to remove the domain user from local group??
  • 2
  • 2
1 Solution
Yes Windows has a group policy object called 'restricted groups' you can find it following this path
computer configuration >> security settings >> restricted groups.

By default it should be empty but it is worth taking a look.

Briefly..you could have a policy that says to remove some or all users from a specific group.
I can't imagine how something can accidently show up there, but the symptoms match

HOW TO: Restrict Group Membership By Using Group Policy in Windows 2000
Any GPO objects will only apply to Win2K machines and higher.  For support of NT, ME, and 98 based machines you need to use System Policy settings instead  (these use registry entries instead).  

See also:  MS KB 814598  
mohaiAuthor Commented:
Hi Thanks for the info. I have tried to remove any setting in restrict group membership in my default domain group policy.
However the same problem arise.

Here is the message from my winlongon.log file..

----Configure Group Membership...
      Configure Administrators.
            remove GES-MSL\Domain Admins.
            remove GES-MSL\khfones.

Beside restric group membership, any other setting will cause this to happen??
mohaiAuthor Commented:
Hi MDigLio,

Thanks for the info..

Actually What you told me was correct and it worked.

I mistakenly remove the setting wrongly in other policy, and that is why it was initially not working.
Glad you got it working...thanks for the points
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now