Solved: Client XP users are being deleted or removed from User Accounts on a Network

Check your group policies and see if you have restricted groups set up for administrators. This would force it to reset the group on each machine every time group policy was refreshed

Ardee

ASKER

Yes, we have restricted groups and I've verified that both myself and these users have been made members. I also have permissions to add these users to the proper group and workstation containers for these permissions. However, the issue still recurs.

chuck-williams

Run the Group policy results wizard through the Group Policy Management Console and see the results for a particular computer just to make sure there is not another policy conflicting.

Ardee

ASKER

Had the guys in System Services check this out as you mentioned. They found a difference or missing component and made the adjustment; however, afterward, the user accounts still are removed after gpupdate /force. System Services has told me that this does not matter that the User Accounts show that the user does not show up in the Administrator group as they've been made a member of a group that is in the Administrator group so it's a moot point. Problem is, the users are still losing preferences like default printers, etc. The good news is that my users are learning about setting the preferences on their machines without any help as they have to do it themselves every morning! :) Any more ideas please.

chuck-williams

Hmmm is there any other policy or mandatory profile set that is causing them to reset their profile every time they log in. I would do another Group Policy results for a user with this problem and paste it in here if possible, only what is under the settings tab of the results. If it is a policy issue I can help you there.

Ardee

ASKER

I've got the gpresult text file to paste at the bottom and got clearance from our security to do this (just in case). However, I just spoke with our System Services team and they've found something that deals with the Debugger Users group and Microsoft Office products (?). They're creating some documentation for me to try out at this remote site. We'll see. In the mean time, here is the gpresults file:

** Thanks so much for your help **

Microsoft (R) Windows (R) XP Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001

Created On 10/12/2007 at 8:57:00 AM

RSOP results for EDU\dimasrt on SDGDIMASRT001 : Logging Mode
-------------------------------------------------------------

OS Type: Microsoft Windows XP Professional
OS Configuration: Member Workstation
OS Version: 5.1.2600
Domain Name: EDU
Domain Type: Windows 2000
Site Name: HTPSDG
Roaming Profile:
Local Profile: C:\Documents and Settings\dimasrt
Connected over a slow link?: No

COMPUTER SETTINGS
------------------
CN=SDGDIMASRT001,OU=Developers,OU=ATX,OU=HRW,OU=Laptops,OU=Workstations,DC=edu,DC=regn,DC=net
Last time Group Policy was applied: 10/12/2007 at 8:08:59 AM
Group Policy was applied from: htpsdgdcxp001.edu.regn.net
Group Policy slow link threshold: 500 kbps

Applied Group Policy Objects
-----------------------------
EDUGLOALL-Corporate Mandatory Domain Policy-010
EDUGLOALL-Corporate Mandatory Computer Policy-010
EDUHRWALL-Flexible Laptop Developer Policy-001
EDUGLOALL-Corporate Flexible Computer Policy-010
EDUGLOALL-Corporate Flexible EFS Policy-010
EDUGLOALL-Vista Workstation Policy-001
Default Domain Policy
Local Group Policy

The computer is a part of the following security groups:
--------------------------------------------------------
BUILTIN\Administrators
Everyone
Debugger Users
BUILTIN\Users
NT AUTHORITY\NETWORK
NT AUTHORITY\Authenticated Users

Resultant Set Of Policies for Computer:
----------------------------------------

Software Installations
----------------------
N/A

Startup Scripts
---------------
N/A

Shutdown Scripts
----------------
N/A

Account Policies
----------------
GPO: EDUGLOALL-Corporate Mandatory Domain Policy-010
Policy: MinimumPasswordAge
Computer Setting: N/A

GPO: EDUGLOALL-Corporate Mandatory Domain Policy-010
Policy: PasswordHistorySize
Computer Setting: 5

GPO: EDUGLOALL-Corporate Mandatory Domain Policy-010
Policy: LockoutDuration
Computer Setting: 30

GPO: EDUGLOALL-Corporate Mandatory Domain Policy-010
Policy: ResetLockoutCount
Computer Setting: 30

GPO: EDUGLOALL-Corporate Mandatory Domain Policy-010
Policy: MinimumPasswordLength
Computer Setting: 7

GPO: EDUGLOALL-Corporate Mandatory Domain Policy-010
Policy: LockoutBadCount
Computer Setting: 5

GPO: EDUGLOALL-Corporate Mandatory Domain Policy-010
Policy: MaximumPasswordAge
Computer Setting: 60

Audit Policy
------------
GPO: EDUGLOALL-Corporate Mandatory Computer Policy-010
Policy: AuditPolicyChange
Computer Setting: Success, Failure

GPO: EDUGLOALL-Corporate Mandatory Computer Policy-010
Policy: AuditPrivilegeUse
Computer Setting: Failure

GPO: EDUGLOALL-Corporate Mandatory Computer Policy-010
Policy: AuditAccountLogon
Computer Setting: Success, Failure

GPO: EDUGLOALL-Corporate Mandatory Computer Policy-010
Policy: AuditAccountManage
Computer Setting: Success, Failure

GPO: EDUGLOALL-Corporate Mandatory Computer Policy-010
Policy: AuditLogonEvents
Computer Setting: Failure

User Rights
-----------
GPO: EDUGLOALL-Corporate Flexible Computer Policy-010
Policy: DenyRemoteInteractiveLogonRight
Computer Setting: EDU\EDU-Service Accounts

GPO: EDUGLOALL-Corporate Flexible Computer Policy-010
Policy: ChangeNotifyPrivilege
Computer Setting: Administrators
Backup Operators
Power Users
Users

GPO: EDUGLOALL-Corporate Flexible Computer Policy-010
Policy: ProfileSingleProcessPrivilege
Computer Setting: Administrators

GPO: EDUGLOALL-Corporate Flexible Computer Policy-010
Policy: LoadDriverPrivilege
Computer Setting: Administrators
Power Users

GPO: EDUGLOALL-Corporate Flexible Computer Policy-010
Policy: InteractiveLogonRight
Computer Setting: Administrators
Backup Operators
Power Users
Users

GPO: EDUGLOALL-Corporate Flexible Computer Policy-010
Policy: NetworkLogonRight
Computer Setting: Administrators
Backup Operators
Power Users
Users

GPO: EDUGLOALL-Corporate Flexible Computer Policy-010
Policy: DenyInteractiveLogonRight
Computer Setting: EDU\EDU-Service Accounts

Security Options
----------------
GPO: Default Domain Policy
Policy: RequireLogonToChangePassword
Computer Setting: Not Enabled

GPO: EDUGLOALL-Corporate Mandatory Domain Policy-010
Policy: EnableGuestAccount
Computer Setting: Not Enabled

GPO: EDUGLOALL-Corporate Mandatory Domain Policy-010
Policy: PasswordComplexity
Computer Setting: Enabled

GPO: EDUGLOALL-Corporate Mandatory Domain Policy-010
Policy: ForceLogoffWhenHourExpire
Computer Setting: Enabled

GPO: EDUGLOALL-Corporate Mandatory Domain Policy-010
Policy: LSAAnonymousNameLookup
Computer Setting: Enabled

GPO: EDUGLOALL-Corporate Mandatory Domain Policy-010
Policy: ClearTextPassword
Computer Setting: Not Enabled

GPO: EDUHRWALL-Flexible Laptop Developer Policy-001
Policy: NewAdministratorName
Computer Setting: Enabled

GPO: EDUHRWALL-Flexible Laptop Developer Policy-001
Policy: NewGuestName
Computer Setting: Enabled

Event Log Settings
------------------
GPO: EDUGLOALL-Corporate Flexible Computer Policy-010
Policy: MaximumLogSize
Computer Setting: 8192
Log Name: Security

GPO: EDUGLOALL-Corporate Flexible Computer Policy-010
Policy: MaximumLogSize
Computer Setting: 8192
Log Name: System

GPO: EDUGLOALL-Corporate Mandatory Computer Policy-010
Policy: RetentionDays
Computer Setting: 0
Log Name: Application

GPO: EDUGLOALL-Corporate Flexible Computer Policy-010
Policy: MaximumLogSize
Computer Setting: 8192
Log Name: Application

GPO: EDUGLOALL-Corporate Mandatory Computer Policy-010
Policy: RetentionDays
Computer Setting: 0
Log Name: System

GPO: EDUGLOALL-Corporate Mandatory Computer Policy-010
Policy: RetentionDays
Computer Setting: 0
Log Name: Security

GPO: EDUGLOALL-Corporate Mandatory Computer Policy-010
Policy: RestrictGuestAccess
Computer Setting: Enabled
Log Name: System

GPO: EDUGLOALL-Corporate Mandatory Computer Policy-010
Policy: RestrictGuestAccess
Computer Setting: Enabled
Log Name: Application

GPO: EDUGLOALL-Corporate Mandatory Computer Policy-010
Policy: RestrictGuestAccess
Computer Setting: Enabled
Log Name: Security

Restricted Groups
-----------------
GPO: EDUHRWALL-Flexible Laptop Developer Policy-001
Groupname: Administrators
Members: EDU\EDU-Child Domain Administrator
EDU\HRW-ALL Client Administrators
EDU\HRW-ALL Down Level OU Administrators
EDU\HRW-GPO ALL Developers

System Services
---------------
GPO: EDUHRWALL-Flexible Laptop Developer Policy-001
ServiceName: wuauserv
Startup: Automatic

Registry Settings
-----------------
N/A

File System Settings
--------------------
N/A

Public Key Policies
-------------------
N/A

Administrative Templates
------------------------
GPO: EDUHRWALL-Flexible Laptop Developer Policy-001
Setting: Software\Policies\Microsoft\PCHealth\ErrorReporting\DW
State: disabled

GPO: EDUHRWALL-Flexible Laptop Developer Policy-001
Setting: Software\Policies\Microsoft\Windows\NetCache
State: Enabled

GPO: EDUHRWALL-Flexible Laptop Developer Policy-001
Setting: Software\Policies\Microsoft\PCHealth\ErrorReporting
State: Enabled

GPO: EDUGLOALL-Corporate Flexible Computer Policy-010
Setting: Software\Policies\Microsoft\Messenger\Client
State: Enabled

GPO: EDUGLOALL-Corporate Flexible Computer Policy-010
Setting: Software\Policies\Microsoft\Windows NT\Printers
State: Enabled

GPO: EDUGLOALL-Vista Workstation Policy-001
Setting: Software\Policies\Microsoft\FVE
State: Enabled

GPO: EDUGLOALL-Vista Workstation Policy-001
Setting: Software\Policies\Microsoft\FVE
State: Enabled

GPO: EDUHRWALL-Flexible Laptop Developer Policy-001
Setting: Software\Policies\Microsoft\Windows\Network Connections
State: Enabled

GPO: Local Group Policy
Setting: Software\Policies\Microsoft\PCHealth\ErrorReporting
State: Enabled

GPO: EDUGLOALL-Vista Workstation Policy-001
Setting: Software\Policies\Microsoft\FVE
State: Enabled

GPO: EDUHRWALL-Flexible Laptop Developer Policy-001
Setting: Software\Policies\Microsoft\Windows\NetCache
State: disabled

GPO: EDUGLOALL-Corporate Mandatory Computer Policy-010
Setting: Software\Policies\Microsoft\Windows\NetCache
State: Enabled

GPO: EDUHRWALL-Flexible Laptop Developer Policy-001
Setting: Software\Policies\Microsoft\PCHealth\ErrorReporting\DW
State: Enabled

GPO: EDUHRWALL-Flexible Laptop Developer Policy-001
Setting: Software\Policies\Microsoft\Windows\WindowsUpdate
State: Enabled

GPO: EDUHRWALL-Flexible Laptop Developer Policy-001
Setting: Software\Policies\Microsoft\Windows\WindowsUpdate\AU
State: Enabled

GPO: EDUHRWALL-Flexible Laptop Developer Policy-001
Setting: Software\Policies\Microsoft\Windows\NetCache
State: Enabled

GPO: EDUHRWALL-Flexible Laptop Developer Policy-001
Setting: Software\Policies\Microsoft\Windows NT\CurrentVersion\EFS
State: Enabled

GPO: EDUHRWALL-Flexible Laptop Developer Policy-001
Setting: Software\Policies\Microsoft\PCHealth\ErrorReporting
State: Enabled

GPO: EDUHRWALL-Flexible Laptop Developer Policy-001
Setting: Software\Policies\Microsoft\PCHealth\ErrorReporting\DW
State: Enabled

GPO: EDUGLOALL-Corporate Mandatory Computer Policy-010
Setting: Software\Policies\Microsoft\Windows\Network Connections
State: Enabled

GPO: EDUHRWALL-Flexible Laptop Developer Policy-001
Setting: Software\Policies\Microsoft\Windows\WindowsUpdate\AU
State: Enabled

GPO: EDUGLOALL-Corporate Flexible Computer Policy-010
Setting: Software\Policies\Microsoft\Windows NT\Terminal Services
State: Enabled

GPO: EDUGLOALL-Vista Workstation Policy-001
Setting: Software\Policies\Microsoft\FVE
State: Enabled

GPO: EDUHRWALL-Flexible Laptop Developer Policy-001
Setting: Software\Policies\Microsoft\Windows\WindowsUpdate\AU
State: Enabled

GPO: EDUGLOALL-Corporate Flexible Computer Policy-010
Setting: Software\Policies\Microsoft\Windows NT\Printers\Wizard
State: Enabled

GPO: EDUGLOALL-Corporate Mandatory Computer Policy-010
Setting: Software\Policies\Microsoft\Windows NT\Terminal Services
State: Enabled

GPO: EDUGLOALL-Vista Workstation Policy-001
Setting: Software\Policies\Microsoft\FVE
State: Enabled

GPO: EDUHRWALL-Flexible Laptop Developer Policy-001
Setting: Software\Policies\Microsoft\SystemCertificates\Root\ProtectedRoots
State: Enabled

GPO: EDUGLOALL-Corporate Flexible Computer Policy-010
Setting: Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions
State: Enabled

GPO: EDUGLOALL-Vista Workstation Policy-001
Setting: Software\Policies\Microsoft\FVE
State: Enabled

GPO: EDUGLOALL-Corporate Flexible Computer Policy-010
Setting: Software\Policies\Microsoft\Windows NT\Printers
State: Enabled

GPO: EDUHRWALL-Flexible Laptop Developer Policy-001
Setting: Software\Policies\Microsoft\Windows\System
State: Enabled

GPO: Local Group Policy
Setting: Software\Policies\Microsoft\PCHealth\ErrorReporting\DW
State: Enabled

GPO: EDUGLOALL-Vista Workstation Policy-001
Setting: Software\Policies\Microsoft\FVE
State: Enabled

GPO: EDUGLOALL-Vista Workstation Policy-001
Setting: Software\Policies\Microsoft\TPM
State: Enabled

GPO: EDUHRWALL-Flexible Laptop Developer Policy-001
Setting: Software\Policies\Microsoft\Cryptography\AutoEnrollment
State: Enabled

GPO: EDUGLOALL-Corporate Mandatory Domain Policy-010
Setting: Software\Policies\Microsoft\Windows NT\Printers
State: Enabled

GPO: EDUHRWALL-Flexible Laptop Developer Policy-001
Setting: Software\Policies\Microsoft\PCHealth\ErrorReporting\DW
State: Enabled

GPO: EDUHRWALL-Flexible Laptop Developer Policy-001
Setting: Software\Policies\Microsoft\Windows\WindowsUpdate\AU
State: Enabled

GPO: EDUGLOALL-Corporate Mandatory Computer Policy-010
Setting: SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
State: Enabled

GPO: EDUGLOALL-Corporate Mandatory Computer Policy-010
Setting: Software\Policies\Microsoft\Windows\Network Connections
State: Enabled

GPO: EDUGLOALL-Corporate Mandatory Computer Policy-010
Setting: Software\Policies\Microsoft\Windows NT\Terminal Services
State: Enabled

GPO: EDUGLOALL-Corporate Flexible Computer Policy-010
Setting: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
State: Enabled

GPO: EDUGLOALL-Vista Workstation Policy-001
Setting: Software\Policies\Microsoft\FVE
State: Enabled

GPO: EDUHRWALL-Flexible Laptop Developer Policy-001
Setting: Software\Policies\Microsoft\Windows\WindowsUpdate\AU
State: Enabled

GPO: EDUHRWALL-Flexible Laptop Developer Policy-001
Setting: Software\Policies\Microsoft\Windows\NetCache
State: Enabled

GPO: EDUHRWALL-Flexible Laptop Developer Policy-001
Setting: Software\Policies\Microsoft\Windows\WindowsUpdate\AU
State: Enabled

GPO: EDUHRWALL-Flexible Laptop Developer Policy-001
Setting: Software\Policies\Microsoft\Windows\NetCache
State: Enabled

GPO: EDUHRWALL-Flexible Laptop Developer Policy-001
Setting: Software\Policies\Microsoft\Windows\NetCache
State: Enabled

GPO: EDUHRWALL-Flexible Laptop Developer Policy-001
Setting: Software\Policies\Microsoft\PCHealth\ErrorReporting\DW
State: disabled

GPO: EDUGLOALL-Corporate Flexible Computer Policy-010
Setting: Software\Policies\Microsoft\Windows NT\Printers
State: Enabled

GPO: EDUHRWALL-Flexible Laptop Developer Policy-001
Setting: Software\Policies\Microsoft\Windows\WindowsUpdate\AU
State: Enabled

GPO: EDUGLOALL-Corporate Flexible Computer Policy-010
Setting: Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon
State: Enabled

GPO: EDUHRWALL-Flexible Laptop Developer Policy-001
Setting: Software\Policies\Microsoft\Windows\WindowsUpdate
State: Enabled

GPO: EDUGLOALL-Corporate Mandatory Domain Policy-010
Setting: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
State: Enabled

GPO: EDUGLOALL-Vista Workstation Policy-001
Setting: Software\Policies\Microsoft\TPM
State: Enabled

GPO: EDUGLOALL-Corporate Mandatory Computer Policy-010
Setting: Software\Policies\Microsoft\Windows NT\Terminal Services
State: Enabled

USER SETTINGS
--------------
CN=Dimas\, Rafael T. (HTP-SDG),OU=EXCH,OU=SDG,OU=HTP,OU=Users,OU=User Accounts,DC=edu,DC=regn,DC=net
Last time Group Policy was applied: 10/12/2007 at 8:21:34 AM
Group Policy was applied from: htpsdgdcxp001.edu.regn.net
Group Policy slow link threshold: 500 kbps

Applied Group Policy Objects
-----------------------------
EDUGLOALL-Corporate Mandatory User Policy-010
EDUHRWALL-Flexible Desktop Services User Policy-001
EDUGLOALL-Corporate Flexible User Account Policy-010
EDUGLOALL-Corporate Flexible All User Policy-010
Default Domain Policy
Local Group Policy

The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
EDUGLOALL-Corporate Mandatory Domain Policy-010
Filtering: Disabled (GPO)

The user is a part of the following security groups:
----------------------------------------------------

Everyone
BUILTIN\Users
BUILTIN\Administrators
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
LOCAL

Resultant Set Of Policies for User:
------------------------------------

Software Installations
----------------------
N/A

Public Key Policies
-------------------
N/A

Administrative Templates
------------------------
GPO: EDUHRWALL-Flexible Desktop Services User Policy-001
Setting: Software\Microsoft\Windows\CurrentVersion\Policies\System
State: disabled

GPO: EDUHRWALL-Flexible Desktop Services User Policy-001
Setting: Software\Policies\Microsoft\MMC\{8EAD3A12-B2C1-11d0-83AA-00A0C92C9D5D}
State: Enabled

GPO: EDUHRWALL-Flexible Desktop Services User Policy-001
Setting: Software\Policies\Microsoft\Internet Explorer\Control Panel
State: disabled

GPO: EDUHRWALL-Flexible Desktop Services User Policy-001
Setting: Software\Policies\Microsoft\MMC\{942A8E4F-A261-11D1-A760-00C04FB9603F}
State: Enabled

GPO: EDUHRWALL-Flexible Desktop Services User Policy-001
Setting: Software\Policies\Microsoft\MMC
State: Enabled

GPO: EDUHRWALL-Flexible Desktop Services User Policy-001
Setting: Software\Policies\Microsoft\MMC\{5ADF5BF6-E452-11D1-945A-00C04FB984F9}
State: Enabled

GPO: EDUHRWALL-Flexible Desktop Services User Policy-001
Setting: Software\Policies\Microsoft\Internet Explorer\Restrictions
State: Enabled

GPO: EDUGLOALL-Corporate Flexible User Account Policy-010
Setting: Software\Policies\Microsoft\MMC\{1BC972D6-555C-4FF7-BE2C-C584021A0A6A}
State: Enabled

GPO: EDUHRWALL-Flexible Desktop Services User Policy-001
Setting: Software\Policies\Microsoft\Internet Explorer\Control Panel
State: disabled

GPO: EDUHRWALL-Flexible Desktop Services User Policy-001
Setting: Software\Policies\Microsoft\MMC\{88E729D6-BDC1-11D1-BD2A-00C04FB9603F}
State: Enabled

GPO: EDUHRWALL-Flexible Desktop Services User Policy-001
Setting: Software\Policies\Microsoft\MMC\{8F8F8DC0-5713-11D1-9551-0060B0576642}
State: Enabled

GPO: EDUHRWALL-Flexible Desktop Services User Policy-001
Setting: Software\Policies\Microsoft\MMC\{0F6B957D-509E-11D1-A7CC-0000F87571E3}
State: Enabled

GPO: EDUHRWALL-Flexible Desktop Services User Policy-001
Setting: Software\Policies\Microsoft\MMC\{E12BBB5D-D59D-4E61-947A-301D25AE8C23}
State: Enabled

GPO: EDUHRWALL-Flexible Desktop Services User Policy-001
Setting: Software\Policies\Microsoft\MMC\{A841B6C2-7577-11D0-BB1F-00A0C922E79C}
State: Enabled

GPO: EDUHRWALL-Flexible Desktop Services User Policy-001
Setting: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
State: Enabled

GPO: EDUHRWALL-Flexible Desktop Services User Policy-001
Setting: Software\Policies\Microsoft\MMC\{2DA6AA7F-8C88-4194-A558-0D36E7FD3E64}
State: Enabled

GPO: EDUGLOALL-Corporate Flexible User Account Policy-010
Setting: Software\Policies\Microsoft\Windows NT\SharedFolders
State: Enabled

GPO: EDUHRWALL-Flexible Desktop Services User Policy-001
Setting: Software\Policies\Microsoft\Windows\CurrentVersion\Identities
State: Enabled

GPO: EDUGLOALL-Corporate Flexible All User Policy-010
Setting: Software\Policies\Microsoft\Windows\Control Panel\Desktop
State: Enabled

GPO: EDUGLOALL-Corporate Flexible User Account Policy-010
Setting: Software\Policies\Microsoft\MMC\{40B66660-4972-11d1-A7CA-0000F87571E3}
State: Enabled

GPO: EDUHRWALL-Flexible Desktop Services User Policy-001
Setting: Software\Policies\Microsoft\Internet Explorer\Restrictions
State: Enabled

GPO: EDUHRWALL-Flexible Desktop Services User Policy-001
Setting: Software\Policies\Microsoft\Internet Explorer\Restrictions
State: Enabled

GPO: EDUHRWALL-Flexible Desktop Services User Policy-001
Setting: Software\Policies\Microsoft\MMC\{8FC0B734-A0E1-11D1-A7D3-0000F87571E3}
State: Enabled

GPO: EDUGLOALL-Corporate Mandatory User Policy-010
Setting: Software\Policies\Microsoft\Windows\System
State: disabled

GPO: EDUHRWALL-Flexible Desktop Services User Policy-001
Setting: Software\Policies\Microsoft\Internet Explorer\Control Panel
State: Enabled

GPO: EDUHRWALL-Flexible Desktop Services User Policy-001
Setting: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
State: disabled

GPO: EDUHRWALL-Flexible Desktop Services User Policy-001
Setting: Software\Policies\Microsoft\MMC\{1C5DACFA-16BA-11D2-81D0-0000F87A7AA3}
State: Enabled

GPO: EDUHRWALL-Flexible Desktop Services User Policy-001
Setting: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
State: Enabled

GPO: EDUHRWALL-Flexible Desktop Services User Policy-001
Setting: Software\Policies\Microsoft\Internet Explorer\Control Panel
State: disabled

GPO: EDUGLOALL-Corporate Flexible User Account Policy-010
Setting: Software\Policies\Microsoft\MMC\{d524927d-6c08-46bf-86af-391534d779d3}
State: Enabled

GPO: EDUGLOALL-Corporate Flexible User Account Policy-010
Setting: Software\Policies\Microsoft\MMC\{40B66661-4972-11d1-A7CA-0000F87571E3}
State: Enabled

GPO: EDUHRWALL-Flexible Desktop Services User Policy-001
Setting: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
State: Enabled

GPO: EDUHRWALL-Flexible Desktop Services User Policy-001
Setting: Software\Policies\Microsoft\Internet Explorer\Restrictions
State: Enabled

GPO: EDUHRWALL-Flexible Desktop Services User Policy-001
Setting: Software\Policies\Microsoft\Internet Explorer\Control Panel
State: disabled

GPO: EDUHRWALL-Flexible Desktop Services User Policy-001
Setting: Software\Policies\Microsoft\MMC\{de751566-4cc6-11d1-8ca0-00c04fc297eb}
State: Enabled

GPO: EDUHRWALL-Flexible Desktop Services User Policy-001
Setting: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowCpl
State: disabled

GPO: EDUHRWALL-Flexible Desktop Services User Policy-001
Setting: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
State: disabled

GPO: EDUHRWALL-Flexible Desktop Services User Policy-001
Setting: Software\Policies\Microsoft\MMC\{40B6664F-4972-11D1-A7CA-0000F87571E3}
State: Enabled

GPO: EDUHRWALL-Flexible Desktop Services User Policy-001
Setting: Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall
State: disabled

GPO: EDUHRWALL-Flexible Desktop Services User Policy-001
Setting: Software\Policies\Microsoft\MMC\{011BE22D-E453-11D1-945A-00C04FB984F9}
State: Enabled

GPO: EDUHRWALL-Flexible Desktop Services User Policy-001
Setting: Software\Policies\Microsoft\Internet Explorer\Control Panel
State: disabled

GPO: EDUHRWALL-Flexible Desktop Services User Policy-001
Setting: Software\Policies\Microsoft\MMC\{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}
State: Enabled

GPO: EDUHRWALL-Flexible Desktop Services User Policy-001
Setting: Software\Policies\Microsoft\Windows\NetCache
State: Enabled

GPO: EDUHRWALL-Flexible Desktop Services User Policy-001
Setting: Software\Policies\Microsoft\MMC\{FC715823-C5FB-11D1-9EEF-00A0C90347FF}
State: Enabled

GPO: EDUHRWALL-Flexible Desktop Services User Policy-001
Setting: Software\Policies\Microsoft\MMC\{FF5903A8-78D6-11D1-92F6-006097B01056}
State: Enabled

GPO: EDUHRWALL-Flexible Desktop Services User Policy-001
Setting: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
State: disabled

GPO: EDUGLOALL-Corporate Mandatory User Policy-010
Setting: Software\Microsoft\Windows\CurrentVersion\Policies\System
State: Enabled

GPO: EDUGLOALL-Corporate Flexible User Account Policy-010
Setting: Software\Policies\Microsoft\MMC\{B6F9C8AF-EF3A-41C8-A911-37370C331DD4}
State: Enabled

GPO: EDUHRWALL-Flexible Desktop Services User Policy-001
Setting: Software\Policies\Microsoft\Cryptography\AutoEnrollment
State: Enabled

GPO: EDUGLOALL-Corporate Flexible User Account Policy-010
Setting: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
State: Enabled

GPO: EDUGLOALL-Corporate Flexible All User Policy-010
Setting: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
State: Enabled

GPO: EDUHRWALL-Flexible Desktop Services User Policy-001
Setting: Software\Policies\Microsoft\MMC\{6DC3804B-7212-458D-ADB0-9A07E2AE1FA2}
State: Enabled

GPO: EDUHRWALL-Flexible Desktop Services User Policy-001
Setting: Software\Policies\Microsoft\MMC\{1AA7F839-C7F5-11D0-A376-00C04FC9DA04}
State: Enabled

GPO: EDUHRWALL-Flexible Desktop Services User Policy-001
Setting: Software\Policies\Microsoft\Internet Explorer\Restrictions
State: Enabled

GPO: EDUHRWALL-Flexible Desktop Services User Policy-001
Setting: Software\Policies\Microsoft\MMC\{DEA8AFA0-CC85-11d0-9CE2-0080C7221EBD}
State: Enabled

GPO: EDUHRWALL-Flexible Desktop Services User Policy-001
Setting: Software\Policies\Microsoft\MMC\{677A2D94-28D9-11D1-A95B-008048918FB1}
State: Enabled

GPO: EDUHRWALL-Flexible Desktop Services User Policy-001
Setting: Software\Policies\Microsoft\MMC\{BACF5C8A-A3C7-11D1-A760-00C04FB9603F}
State: Enabled

GPO: EDUHRWALL-Flexible Desktop Services User Policy-001
Setting: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
State: disabled

GPO: EDUHRWALL-Flexible Desktop Services User Policy-001
Setting: Software\Policies\Microsoft\MMC\{D967F824-9968-11D0-B936-00C04FD8D5B0}
State: Enabled

GPO: Local Group Policy
Setting: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
State: Enabled

GPO: EDUHRWALL-Flexible Desktop Services User Policy-001
Setting: Software\Policies\Microsoft\Internet Explorer\Control Panel
State: disabled

GPO: Local Group Policy
Setting: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
State: Enabled

GPO: EDUHRWALL-Flexible Desktop Services User Policy-001
Setting: Software\Policies\Microsoft\MMC\{EBC53A38-A23F-11D0-B09B-00C04FD8DCA6}
State: Enabled

GPO: EDUGLOALL-Corporate Flexible All User Policy-010
Setting: Software\Policies\Microsoft\WindowsMediaPlayer
State: Enabled

GPO: EDUGLOALL-Corporate Flexible User Account Policy-010
Setting: Software\Policies\Microsoft\MMC\{B6F9C8AE-EF3A-41C8-A911-37370C331DD4}
State: Enabled

GPO: EDUHRWALL-Flexible Desktop Services User Policy-001
Setting: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
State: disabled

GPO: EDUGLOALL-Corporate Mandatory User Policy-010
Setting: Software\Policies\Microsoft\Windows\System\Power
State: Enabled

GPO: EDUHRWALL-Flexible Desktop Services User Policy-001
Setting: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
State: disabled

GPO: EDUHRWALL-Flexible Desktop Services User Policy-001
Setting: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
State: disabled

GPO: EDUHRWALL-Flexible Desktop Services User Policy-001
Setting: Software\Policies\Microsoft\MMC\{40B66650-4972-11D1-A7CA-0000F87571E3}
State: Enabled

GPO: EDUHRWALL-Flexible Desktop Services User Policy-001
Setting: Software\Policies\Microsoft\MMC\{0F6B957E-509E-11D1-A7CC-0000F87571E3}
State: Enabled

GPO: EDUGLOALL-Corporate Flexible User Account Policy-010
Setting: Software\Policies\Microsoft\MMC\{c40d66a0-e90c-46c6-aa3b-473e38c72bf2}
State: Enabled

GPO: EDUGLOALL-Corporate Flexible All User Policy-010
Setting: Software\Policies\Microsoft\Windows\Control Panel\Desktop
State: Enabled

GPO: EDUGLOALL-Corporate Mandatory User Policy-010
Setting: Software\Policies\Microsoft\Windows\Group Policy Editor
State: Enabled

GPO: EDUGLOALL-Corporate Flexible User Account Policy-010
Setting: Software\Policies\Microsoft\MMC\{7E45546F-6D52-4D10-B702-9C2E67232E62}
State: Enabled

GPO: EDUHRWALL-Flexible Desktop Services User Policy-001
Setting: Software\Policies\Microsoft\MMC\{E355E538-1C2E-11D0-8C37-00C04FD8FE93}
State: Enabled

GPO: EDUHRWALL-Flexible Desktop Services User Policy-001
Setting: Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall
State: disabled

GPO: EDUGLOALL-Corporate Flexible All User Policy-010
Setting: Software\Policies\Microsoft\Windows\Control Panel\Desktop
State: Enabled

GPO: EDUHRWALL-Flexible Desktop Services User Policy-001
Setting: Software\Policies\Microsoft\Windows\Control Panel\Desktop
State: Enabled

GPO: EDUHRWALL-Flexible Desktop Services User Policy-001
Setting: Software\Policies\Microsoft\MMC
State: Enabled

GPO: EDUHRWALL-Flexible Desktop Services User Policy-001
Setting: Software\Policies\Microsoft\MMC\{3060E8CE-7020-11D2-842D-00C04FA372D4}
State: Enabled

GPO: EDUHRWALL-Flexible Desktop Services User Policy-001
Setting: Software\Policies\Microsoft\Internet Explorer\Control Panel
State: disabled

GPO: EDUHRWALL-Flexible Desktop Services User Policy-001
Setting: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
State: Enabled

GPO: EDUGLOALL-Corporate Flexible User Account Policy-010
Setting: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
State: Enabled

GPO: EDUHRWALL-Flexible Desktop Services User Policy-001
Setting: Software\Microsoft\Windows\CurrentVersion\Policies\WindowsUpdate
State: disabled

GPO: EDUHRWALL-Flexible Desktop Services User Policy-001
Setting: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
State: disabled

GPO: EDUGLOALL-Corporate Flexible User Account Policy-010
Setting: Software\Policies\Microsoft\MMC\{fe883157-cebd-4570-b7a2-e4fe06abe626}
State: Enabled

GPO: EDUHRWALL-Flexible Desktop Services User Policy-001
Setting: Software\Policies\Microsoft\MMC\{D70A2BEA-A63E-11D1-A7D4-0000F87571E3}
State: Enabled

GPO: Local Group Policy
Setting: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
State: Enabled

GPO: EDUHRWALL-Flexible Desktop Services User Policy-001
Setting: Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall
State: disabled

GPO: EDUHRWALL-Flexible Desktop Services User Policy-001
Setting: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowCpl
State: disabled

GPO: EDUHRWALL-Flexible Desktop Services User Policy-001
Setting: Software\Policies\Microsoft\Internet Explorer\Control Panel
State: Enabled

GPO: EDUHRWALL-Flexible Desktop Services User Policy-001
Setting: Software\Policies\Microsoft\Internet Explorer\Control Panel
State: disabled

GPO: Local Group Policy
Setting: Software\Policies\Microsoft\Windows NT\Driver Signing
State: Enabled

GPO: EDUGLOALL-Corporate Flexible User Account Policy-010
Setting: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
State: Enabled

GPO: EDUGLOALL-Corporate Mandatory User Policy-010
Setting: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
State: Enabled

GPO: EDUGLOALL-Corporate Flexible User Account Policy-010
Setting: Software\Policies\Microsoft\Windows NT\SharedFolders
State: Enabled

GPO: EDUGLOALL-Corporate Mandatory User Policy-010
Setting: Software\Policies\Microsoft\Windows\Group Policy Editor
State: Enabled

GPO: EDUHRWALL-Flexible Desktop Services User Policy-001
Setting: Software\Microsoft\Outlook Express
State: Enabled

Folder Redirection
------------------
N/A

Internet Explorer Browser User Interface
----------------------------------------
GPO: EDUHRWALL-Flexible Desktop Services User Policy-001
Large Animated Bitmap Name: N/A
Large Custom Logo Bitmap Name: N/A
Title BarText: N/A
UserAgent Text: N/A
Delete existing toolbar buttons: No

Internet Explorer Connection
----------------------------
HTTP Proxy Server: N/A
Secure Proxy Server: N/A
FTP Proxy Server: N/A
Gopher Proxy Server: N/A
Socks Proxy Server: N/A
Auto Config Enable: No
Enable Proxy: Yes
Use same Proxy: No

HTTP Proxy Server: N/A
Secure Proxy Server: N/A
FTP Proxy Server: N/A
Gopher Proxy Server: N/A
Socks Proxy Server: N/A
Auto Config Enable: No
Enable Proxy: Yes
Use same Proxy: No

Internet Explorer URLs
----------------------
GPO: EDUHRWALL-Flexible Desktop Services User Policy-001
Home page URL: N/A
Search page URL: N/A
Online support page URL: N/A

URL: http://centrecourt.harcourt.com
Make Available Offline: No

URL: http://arena
Make Available Offline: No

URL: http://centrecourt.harcourt.com
Make Available Offline: No

URL: http://www.harcourt.com
Make Available Offline: No

Internet Explorer Security
--------------------------
Always Viewable Sites: N/A
Password Override Enabled: False

Always Viewable Sites: N/A
Password Override Enabled: False

GPO: EDUHRWALL-Flexible Desktop Services User Policy-001
Import the current Content Ratings Settings: No
Import the current Security Zones Settings: No
Import current Authenticode Security Information: No
Enable trusted publisher lockdown: No

Internet Explorer Programs
--------------------------
GPO: EDUHRWALL-Flexible Desktop Services User Policy-001
Import the current Program Settings: No

chuck-williams

According to that policy you have Administrators set on the PC to the following groups:

Restricted Groups
-----------------
GPO: EDUHRWALL-Flexible Laptop Developer Policy-001
Groupname: Administrators
Members: EDU\EDU-Child Domain Administrator
EDU\HRW-ALL Client Administrators
EDU\HRW-ALL Down Level OU Administrators
EDU\HRW-GPO ALL Developers

Now on any computer on which this is applied those users in those groups will be the ONLY local administrators on that machine.

As you can see with the results of that user:

The user is a part of the following security groups:
----------------------------------------------------

Everyone
BUILTIN\Users
BUILTIN\Administrators
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users
LOCAL

That user is NOT a part of any of the groups that are a part of restricted groups. After any reboot this user will not be a local administrator on any PC in which that particular policy is applied.

If you are trying to give individual access to specific users to specific machines as local admin you cannot specify restricted groups. If you do use restricted groups then you have to add the users that you want to have local admin access to one of those groups. If you do that they will have local admin to every PC that the policy is applied to.

Let me know if this helps.

Ardee

ASKER

I see what you are referring to but in Active Directory, both myself and the clients that I'm providing support for are members of the HRW-GPO All Developers group. Our computers are in in the HRW-GPO All Developer Computers group as well.

What I'm being told is that since I'm a member of HRW-GPO All Developers, and that group is a member of the Administrators group on the computer, that I should be fine. And technically, I am. I have administrative privileges on the computer. But I'm still not truly a "user" on the computer. Yes, I have permissions to do whatever I want for the most part, but it still doesn't correct the issue of users and myself being removed from the User Accounts.

Of course, it's Friday so it's time for everyone to go home and have a super weekend. Thanks for your help this week - I really appreciate it and I hope to hear back from you or perhaps let you know that we came up with a solution over the weekend. We'll enter more comments in on Monday.

chuck-williams

Is the user that you used to create the group policy results a part of that group because according to the results that user is not. I was looking for the results of someone (part of the HRW-GPO All Developers group) who is "supposed" to be a local admin, and on a computer that is supposed to apply the restrictive groups to it.

Hmmm.... all I can think of is to temporarily disable your restrictive groups policy and see if you still have the same issue. If you cannot there is a way to test it out using security filtering.

Make the test user and test computer a part of a test group and set that group as DENY on apply group policy for the policies you want to exclude. This may help you determine if there is a policy causing your issue. I would test any policy with restrictive groups to see if you can eliminate the problem.

A few suggestions to help you. Let me know if you have any breakthroughs :)

Ardee

ASKER

I'm not getting much feedback from the folks here. Nor am I seeing great positive changes on my end. My computer and account was moved to a different container and it works fine now, i.e., I am an admin and have not been removed from the group in over a week. However, I still have admins that are being removed and placed in debugger groups or being removed completely from all groups. I've pretty much given up all hope. Is there someway I can just give you the points for this ticket without a solution? I really don't know what to do to resolve this nasty situation.

chuck-williams

Well I am not sure I ave never awarded points since I just started this account 2 months ago. But I would try as a last resort removing any policies with restrictive groups and just trying a test scenario of creating such a policy before you send it out to everyone. If you moved yourself to another OU and there is no problem then there must be another policy causing the problem.

Sorry if I could sit and see your policies in the console I could probably figure it out. But my best advice to you is to try this:

Try setting up an OU and Block inheritance. Then assign the user and computer to the OU you want to test. Then apply policies one at a time and testing your problem each time to see if you can recreate it. If you can recreate it then you will find which policy is casing the issue. Once you know that you should be able to figure out your issue (Or delete that policy and start from scratch)

I hope that helps. If you have many group policies set up in different OU's sometimes it is just one policy that causes so much headache.

Ardee

ASKER

Okay, so here's what we did. We added "a" new computer name to a different client container and added the computer to the same groups as the previous computer. Then re-named the "bad" computer to the new computer name and added it to the domain. Restarted of course. Added the user back as an admin. Restarted. Did a gpupdate /force and now the user is fine. ??? Problem is, I've got several computers in that state - but - if that fixes it. . .