Solved

Local Admin Group nesting in Administrators Group

Posted on 2013-11-24
11
1,093 Views
Last Modified: 2013-12-17
I am new to the company I work for and:

Recently I discovered a GPO that had a "Restricted Group" setting effectively nesting a manually created AD Group Object titled "Local Admin" within the "Administrators Group" effectively giving all members of the "Local Admin" group object Administrative permissions throughout the Domain.

I removed the setting, disabled the GPO, and deleted the GPO.  I also, have deleted about 22 other GPO objects that just weren't needed and seemed to be leftovers from failed tests and attempts at using Group Policy.

I am 100% positive that there is NO GPO that contains this setting any longer, however ever morning, I check the "Administrators Group" and low and behold the "Local Admin" group is again nested in the "Administrators Group".  

I can't find any documentation pointing to this as normal or default behavior...

What am I missing?  Why is this happening? Where is it coming from?

Any ideas?

Thanks!
0
Comment
Question by:cbexpert
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
  • +2
11 Comments
 
LVL 6

Expert Comment

by:donnk
ID: 39672638
do a search in GPO for 'local admin' to track it down

http://technet.microsoft.com/en-us/library/cc730949.aspx
0
 

Author Comment

by:cbexpert
ID: 39672650
This will not work.  This only allows you to search for a GPO by name.  Also, I looked at the other search options and it will not let you search based on Restricted Groups or on a Group Object name within a GPO setting.

Also, at this time I have exactly 6 GPO as you can see each GPO listed under the container "Group Policy Objects".

Thanks for the suggestion though.
0
 
LVL 6

Expert Comment

by:donnk
ID: 39672656
ok thanks for the clarification, you may have tattooing going on:

http://gpoguy.com/whitepapers/understanding-policy-tattooing/
0
Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 37

Expert Comment

by:Mahesh
ID: 39672664
You need to run rsop.msc on affected computers and identify if still any restirctied GPO is applying or any computer startup script is applied from any GPO which will add domain groups to local groups

Also one more place you need to look, i.e. Group policy preferences, there also this setting can be done very nicely
You need to check all GPOs applied to default domain level and OU level where computer and user  resides as preferences can be applied on users as well

Probably rsop.msc \ gpresult will provide you detailed info regarding applied GPOs.

Hope that helps

Mahesh
0
 
LVL 24

Expert Comment

by:Sandeshdubey
ID: 39673707
This could be due to orphan GPO which may be causing the issue.Donload resource kit tool and run gpotool you will get the list of GPO and name which is present in AD database.Check the sysvol content and delete the quid if orphan GPO is present.You also need to check in CN=Policies,CN=System,DC=DomainName,DC=com using ADSIEdit.

You can also create new OU move couple of user and enable block inheritance check if still the restircted GPO is applied.You can run rsop on client computer or from DC in planning mode or logging mode to check if any GPO is causing the issue.http://technet.microsoft.com/en-us/library/cc758010(v=ws.10).aspx
0
 
LVL 54

Expert Comment

by:McKnife
ID: 39673909
Your mistake: to remove the group, you should have just removed the group within the restricted group GPO but you may not delete the GPO before it had taken effect. Since you have already done it, you will need another GPO with restricted groups or use a startup script/shutdown script with the command
net localgroup /delete administrators "local admin"
0
 
LVL 37

Expert Comment

by:Mahesh
ID: 39674194
The author comment:
"however ever morning, I check the "Administrators Group" and low and behold the "Local Admin" group is again nested in the "Administrators Group". "

It means even after deleting "local admin" group from local administrators group, the group is added again at next reboot.
Correct if I am wrong.

If you removed all GPOs, then it should not add "local admin" group again
There must be some policy left...

You can apply another policy on computers to remove particular "local admin" group and enforce the policy as well so that it will override any other conflicting policies.

Mahesh
0
 
LVL 54

Expert Comment

by:McKnife
ID: 39675284
> It means even after deleting "local admin" group from local administrators group, the group is added again at next reboot. Correct if I am wrong.
-you are wrong :)
The GPO does not add this group "per session", but permanently. So no wonder it stays there if he simply deletes the policy. [He changed the policy first, yes, but it won't have applied already anwhere]
0
 
LVL 37

Expert Comment

by:Mahesh
ID: 39675324
You are not getting my point
I am not talking about group deletion from GPO.
it means after logon to machine, he checked local administrators group, he found "local admin" group as member, he deleted \ removed that group manually and then he shutdown the machine EOD.
Now next day when he started the the machine, he again go to local administrators group, he again found the "local admin" group there as member.

cbexpert, please confirm
is that happening with you ?

You can apply another policy on computers to remove particular "local admin" group and enforce the policy as well so that it will override any other conflicting policies.


Mahesh
0
 

Accepted Solution

by:
cbexpert earned 0 total points
ID: 39715644
Good Evening,

Let me see if I can settle this.  There was a security group in AD called "LocalAdmin", for some reason, an administrator prior to me, set up a GPO that would drop this group in the AD built in Administrator group.  I believed I had removed the GPO that was causing this issue, but every morning when I came into work, I would find the "LocalAdmin" group in the "Administrator" group.

I finally figured out what was happening.  FRS replication had a journal wrap on one of the DC causing all Sysvol replication to stop.  Therefore the GPO I thought I had deleted wasn't really deleted, it was actually still within the Sysvol folder.

I've since fixed the journal wrap issue by using a Non Authoritative restore and removed all orphaned GPO files from Sysvol.  Everything is now working fine.
0
 

Author Closing Comment

by:cbexpert
ID: 39723504
Solved issue myself
0

Featured Post

On Demand Webinar - Networking for the Cloud Era

This webinar discusses:
-Common barriers companies experience when moving to the cloud
-How SD-WAN changes the way we look at networks
-Best practices customers should employ moving forward with cloud migration
-What happens behind the scenes of SteelConnect’s one-click button

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Last week, our Skyport webinar on “How to secure your Active Directory” (https://www.experts-exchange.com/videos/5810/Webinar-Is-Your-Active-Directory-as-Secure-as-You-Think.html?cid=Gene_Skyport) provided 218 attendees with a step-by-step guide for…
Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question