I am new to the company I work for and:
Recently I discovered a GPO that had a "Restricted Group" setting effectively nesting a manually created AD Group Object titled "Local Admin" within the "Administrators Group" effectively giving all members of the "Local Admin" group object Administrative permissions throughout the Domain.
I removed the setting, disabled the GPO, and deleted the GPO. I also, have deleted about 22 other GPO objects that just weren't needed and seemed to be leftovers from failed tests and attempts at using Group Policy.
I am 100% positive that there is NO GPO that contains this setting any longer, however ever morning, I check the "Administrators Group" and low and behold the "Local Admin" group is again nested in the "Administrators Group".
I can't find any documentation pointing to this as normal or default behavior...
What am I missing? Why is this happening? Where is it coming from?