Group policy doing something strange to local administrators group

Posted on 2009-04-29
Last Modified: 2013-12-04
We have a group policy in one office that modified the local administrators group. That was fine and worked well until some machines needed to have different/unique local administrators. So we put in a filter/exception that prevented this group policy applying to machines in a particular group.
If we run GPRESULT we can see that this policy is now filtered on these machines and yet this is the strange bit.
We now modify local administrators on these PCs that need to have unique local administrators and yet every now and again the 'local adminstrators' group gets blown away. It's as though the group policy system knows that we've filtered this policy that used to be applied but rather than reverting the local adminstrators back to the pre-gpo settings just the once it's happening every few days.
Are we misunderstanding the way GPOs work. When you filter a machine from a GPO will it keep on reverting that PCs settings back to how they were before the GPO was run - How do we break the association between machine and GPO?
Question by:blods
    LVL 27

    Expert Comment

    How does it look when you run an RSoP query a machine in question (Start | Run | rsop.msc). Browse to the restricted groups policy and see if any GPO at all is defining any groups.
    By rights, if you have applied the correct security filtering to deny the machine read/apply rights to the GPO, it should have no effect at all.
    Let us know what the RSoP returns...
    LVL 1

    Author Comment

    No RSOP shows the same as GPRESULT - i.e. the policy that could be effecting this local administrator is being filtered with a deny.
    It's almost as though the machine is starting - looking at this policy that is now denied and deciding that it needs to revert the policy back to how it was before the policy was ever applied - so it's removing groups that the policy put in. This seems to be by design, but rather than occurring just once it then seems to run again on odd occasions.
    The policy made the local administrators group contain only an AD group 'DOMAIN\global desktop admins' and 'Local Administrator'
    Filtering the policy for a computer which shows up as DENY on RSOP/GPRESULT seems to undo this and change the local administrators back to the default i.e. DOMAIN\global desktop admins is removed.
    Interestingly when we now add additional accounts to local administrators such as COMPUTERNAME\JOHNSMITH as well as putting DOMAIN\Global desktop admins back ni again, then every now and again they get taken out again. Looking at the even logs shows this happening at machine startup and looks to be group policy - but can't be the one that's filtered (especially the behaviour seems to be the reversal of the policy settings)
    Does anyone know how GPOs undo what they've done. i.e. What is supposed to happen when a GPO that was changing a computers local group is then disabled or blocked to machines via a DENY. My assumption had been that nothing would happen and the group would stay the same but remain untouched. My feeling now is that perhaps the machine decides to somehow rollback the GPO (but how and where is it storing that info.). If that is true, then it's almost behaving as though this roll-back is being run repeatedly at odd times.
    LVL 27

    Accepted Solution

    Restricted group settings actually tattoo. That is, once you remove the policy, those settings remain. You then have to change the setting locally, or use another GPO setting. At least happens in normal circumstances.
    Considering this, it sounds like either -
    1. Group policy must be applying and removing your local settings. The reason I asked you to look at RSoP was to see if any other policy was setting this - it should show the 'winning' policy and the setting's it's applied. I assume from your reply that RSoP query shows nothing in the 'Restricted Group' container?
    2. You don't by any chance periodically apply a security template to the server do you? Sometimes this is scripted to retain security settings without burdening group policy with the numerous settings involved. This would be scheduled and scripted with secedit. Just a thought. Look for any scheduled tasks or startup scripts that could be using secedit.
    Other than that, to troubleshoot, you might be able to re-create the GPO (assuming there's not too many settings), and apply this new GPO with the same security filtering, see if this makes a difference.

    Featured Post

    Highfive + Dolby Voice = No More Audio Complaints!

    Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

    Join & Write a Comment

    Suggested Solutions

    No security measures warrant 100% as a "silver bullet". The truth is we also cannot assume anything but a defensive and vigilance posture. Adopt no trust by default and reveal in assumption. Only assume anonymity or invisibility in the reverse. Safe…
    Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

    728 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now