I have a SBS 2011 Server with 2008R2 and a mixed enviroment of Windows 7 and XP.
I have a second Server 2008R2 member server that I have been trying to get the Microsoft Assessment and Planning Tool (MAP) working - this is what caused me my problem!
I was trying to create a domain admin account that had local admin rights to all PCs on the domain and I didnt want to use my domain admin account. So I created a security group and added a user account that has domain admin rights.
I then created a GPO and linked it to the SBS Computers OU. In the GPO I created a Resticted Group rule added the security group and then added the "Administrators" to the Group Members (bottom half of window) and saved the GPO.
I tested this new setting on a XP pc and quickly realized that my domain admin account that I remoted in with no longer had domain rights on that PC. PLease see attched screen shots.
I deleted the Restricted Group rule and gpupdate /force on the DC.
I went back to the same PC and found that I still do not have domain Admin rights. I even updated the policy on that PC but it didnt matter.
I waited 24 hours and further investigation I found I have 7 XP boxes that are in the same boat.
Please advice how I can fix the 7 Windows XP PCs.
Your assistance is greatly appreciated