Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Adding Domain user as local administrator on computer not retaining

Posted on 2011-03-25
8
Medium Priority
?
924 Views
Last Modified: 2012-05-11
Hello,

I will try to make as much sense of this that I can. I just started maintaining a small network which has a Windows 2003 server and 5 workstations. I haven't had the opportunity yet to fully dig into how their server was configure by the previous administrator.

I recently added a new laptop to the domain with a new user. I added the domain admin AND the new domain user as a local administrator on the laptop through the Control Panel>User Accounts interface. A couple days later the user was unable to download and update Flash, insufficient privileges. I noticed he was no longer a local admin on the laptop, neither was the domain admin. I added both the domain admin and the new domain user as administrators again on the local machine and all was well. A couple days later, again the user could not perform certain actions. And again the settings in the User Accounts did not retain.

What could be causing this? Is it a GPO on the server?

Any advice would be appreciated.
0
Comment
Question by:clraymond
8 Comments
 
LVL 30

Expert Comment

by:Randy Downs
ID: 35216522
If they log on to the domain then they will have the privileges you setup on the domain users. That's really an advantage of using a domain.
0
 
LVL 8

Expert Comment

by:tonyperth
ID: 35216791
I personally would check for a log in script that sets the local admin.  I have seen some techies put a script in that deletes all local admins except the actual local administrator acocunt.  the script could of course be anywhere in AD or more likely the profile script.

Cheers,

Tony
0
 
LVL 6

Assisted Solution

by:mattconroy
mattconroy earned 200 total points
ID: 35216821
Group Policy is the only thing that can do this.
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 57

Accepted Solution

by:
Mike Kline earned 300 total points
ID: 35216837
Yes probably being pushed via restricted groups; you can see how that is done here:   http://www.frickelsoft.net/blog/?p=13

Run an RSoP report and you will be able to see what policies are being applied.

Thanks

Mike
0
 
LVL 22

Expert Comment

by:Joseph Moody
ID: 35216897
You can run an RSOP report by opening up command prompt and typeing rsop.msc

Check under computer config\windows settings\restricted groups.
0
 
LVL 44

Expert Comment

by:Amit
ID: 35217961
Check Default Controller Domain policy. It seems Domain admin is part of restricted group. But why you are giving domain admin to user. It is unsafe as you have giving full rights for whole domain. Local admin rights are enough. As you added the user to domain admin already, admin count is now changed to 1. You can make it 0 by using adsiedit.msc tool.

It is by design, that AD check for protected groups and it is added as restricted group, it will remove it automatically. You first need to remove protected group from restrict policy as it is not recommended by MS. I have 4 days call for same issue with MS and finally we removed it from restricted gpo.
0
 
LVL 51

Expert Comment

by:Netman66
ID: 35219649
Mike is correct.  Group Policy Restricted groups is likely what is happening.

The last Admin obviously set that up wrong because, by default, the DA group gets added to the local Administrators group when you join the domain - and it should stay there.

You can also get information on where this is coming from by running gpresult /v on the laptop when it's connected to the domain.

0
 

Author Closing Comment

by:clraymond
ID: 35219917
Turns out there was a "Local Admin" GPO with a Restricted Group. That restricted group was the BUILTIN\Administrators. The new user that was having the issue was a member of the BUILTIN\Administrators group therefore we could not add him as a local admin on the machine.

What happen was before we could get in to configure his user, the employer attempted to set up his user, wanted to give the user some Administrative privileges and thought that by adding him in the BUILTIN\Administrators group he was giving him those rights. When we originally saw that this user was a member of that group we didn't think much of it (also because of budgetary reasons). BUT unfortunately being a member of that group restricted him from being a local admin.

Can't fully test this on the machine until Monday but that is what I am seeing the server end and so far this makes the most amount of sense. Thanks for all the help.

I am going to give Matt and Mike the credit. Thanks guys.
0

Featured Post

NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
Transferring FSMO roles is done when an admin wants to split roles between certain Domain Controllers or the Domain Controller holding the Roles has been forcefully demoted using dcpromo / forceremoval
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

876 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question