I created a group policy to apply Restricted Groups to the local Administrators group on workstations. My understanding is that once the policy is in place, the local Administrators group will always reset itself to the restricted group membership after a reboot. My tests prove otherwise.
Once the worksations reboot, the policy applies and sets the group membership according to the policy which establishes the following members: administrator, domain\domain admins, domain\techgroup, and domain\anotherGroup. I log on to the pc as a member of the domain\techgroup and see that the new groups were added correctly. I remove one of the groups, reboot the workstation, and expect to see that the Administrators group reset back to the original four. It doesn't.
Another test was to add an individual user account to the local Administrator's group. It remains after the reboot. GPResult shows the policy is being read and applied, and RSoP on an XP box shows the policy is a "Winning GPO." What am I doing wrong?