[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 538
  • Last Modified:

Group policy doing something strange to local administrators group

We have a group policy in one office that modified the local administrators group. That was fine and worked well until some machines needed to have different/unique local administrators. So we put in a filter/exception that prevented this group policy applying to machines in a particular group.
If we run GPRESULT we can see that this policy is now filtered on these machines and yet this is the strange bit.
We now modify local administrators on these PCs that need to have unique local administrators and yet every now and again the 'local adminstrators' group gets blown away. It's as though the group policy system knows that we've filtered this policy that used to be applied but rather than reverting the local adminstrators back to the pre-gpo settings just the once it's happening every few days.
Are we misunderstanding the way GPOs work. When you filter a machine from a GPO will it keep on reverting that PCs settings back to how they were before the GPO was run - How do we break the association between machine and GPO?
  • 2
1 Solution
How does it look when you run an RSoP query a machine in question (Start | Run | rsop.msc). Browse to the restricted groups policy and see if any GPO at all is defining any groups.
By rights, if you have applied the correct security filtering to deny the machine read/apply rights to the GPO, it should have no effect at all.
Let us know what the RSoP returns...
blodsAuthor Commented:
No RSOP shows the same as GPRESULT - i.e. the policy that could be effecting this local administrator is being filtered with a deny.
It's almost as though the machine is starting - looking at this policy that is now denied and deciding that it needs to revert the policy back to how it was before the policy was ever applied - so it's removing groups that the policy put in. This seems to be by design, but rather than occurring just once it then seems to run again on odd occasions.
The policy made the local administrators group contain only an AD group 'DOMAIN\global desktop admins' and 'Local Administrator'
Filtering the policy for a computer which shows up as DENY on RSOP/GPRESULT seems to undo this and change the local administrators back to the default i.e. DOMAIN\global desktop admins is removed.
Interestingly when we now add additional accounts to local administrators such as COMPUTERNAME\JOHNSMITH as well as putting DOMAIN\Global desktop admins back ni again, then every now and again they get taken out again. Looking at the even logs shows this happening at machine startup and looks to be group policy - but can't be the one that's filtered (especially the behaviour seems to be the reversal of the policy settings)
Does anyone know how GPOs undo what they've done. i.e. What is supposed to happen when a GPO that was changing a computers local group is then disabled or blocked to machines via a DENY. My assumption had been that nothing would happen and the group would stay the same but remain untouched. My feeling now is that perhaps the machine decides to somehow rollback the GPO (but how and where is it storing that info.). If that is true, then it's almost behaving as though this roll-back is being run repeatedly at odd times.
Restricted group settings actually tattoo. That is, once you remove the policy, those settings remain. You then have to change the setting locally, or use another GPO setting. At least happens in normal circumstances.
Considering this, it sounds like either -
1. Group policy must be applying and removing your local settings. The reason I asked you to look at RSoP was to see if any other policy was setting this - it should show the 'winning' policy and the setting's it's applied. I assume from your reply that RSoP query shows nothing in the 'Restricted Group' container?
2. You don't by any chance periodically apply a security template to the server do you? Sometimes this is scripted to retain security settings without burdening group policy with the numerous settings involved. This would be scheduled and scripted with secedit. Just a thought. Look for any scheduled tasks or startup scripts that could be using secedit.
Other than that, to troubleshoot, you might be able to re-create the GPO (assuming there's not too many settings), and apply this new GPO with the same security filtering, see if this makes a difference.

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now