We help IT Professionals succeed at work.

2000 Server local accounts losing admin rights

adml_shake asked
We have a windows 2000 server running as a VM on a server 2008 box using Hyper-V.  This machine (2000) runs a database application that our company uses for billing, patient account tracking, and generating reports.  All the accounts are set up as local accounts to that machine (though it is a domain member), recently we've noticed that 3 or 4 times a day 2 of the accounts that have admin rights are losing these rights.  If I check on them at 7am they will have the rights, but later on at some random time (we are still trying to narrow down exactly when it's happening) they admin rights are gone.  We are all stumped as to why this is happening and would appreciate any ideas.  Thanks.
Watch Question

Do you have any GPOs that would remove access based on accounts or groups?  Are the local accounts a part of another local group that is getting permissions removed?  Have you checked the security logs?
You can also turn on auditing to see who or what is modifying the accounts:


I have Audit Policy change and Audit account management now turned on.  We've talked about GPO's that might be doing this but the guy that set those up has no memory of every setting anything that would cause this, and it seems to be a recent development.  Is there a GP that would removed admin rights from local user accounts?
you might want to check out Group Preference - there are ways now manipulate the local user accounts.
Restrictive groups would cause this


Here is what I saw from one of the 2 accounts over the weekend:
Security Enabled Local Group Member Removed:
       Member Name:      -
       Member ID:      MEGAWEST\mws
       Target Account Name:      Administrators
       Target Domain:      Builtin
       Target Account ID:      BUILTIN\Administrators
       Caller User Name:      MEGAWEST$
       Caller Domain:      SBO
       Caller Logon ID:      (0x0,0x3E7)
       Privileges:      -

I'm not really seeing anything here that is going to be much help
To be frank there aren't much for us to start with.

The audit simply says that the account was taken out of the Local group.

Can you let us know have you went through all the Group Policy and Group Policy Preference objects applied to the OU that this machine is in?

Below are a few ways how a local admin group could be changed with GPO or Group Policy Preference.


Ok so I found the restricted groups setting and removed the local admin group from that list.  However it's a day later and it still seems to be happening.  I've check the other server that has GPO's and it is set the same way (it does not have the local admin listed in restricted groups).  Anyone else have any other ideas?