We help IT Professionals succeed at work.

Problem controlling Administrators group membership

282 Views
Last Modified: 2014-08-16
We are trying to make sure certain AD user accounts are a member of the built in Administrators group on our servers. But we're running into some oddities.

First we tried using the preferences section of the GPO (Computer Configuration > Preferences > Control Panel Settings > Local Users and Groups).


I said NEW LOCAL GROUP (Action: Update).
Then I tried choosing from the drop down Administrators (built-in) as the group name.
I added an account and an AD group

I didn't change any other default setting in the new local group.

When I save this and go to the server and run gpupdate instead of adding these two to the built in administrators group it creates a new group called "Administrators (built-in)" and add those two to that group. Needless to say they don't get the permissions desired because this new local group has no rights.

Then I went back in and tried just type "Administrators" as the group name instead of choosing from the drop down. The same thing happened.

I also tried choosing it by searching for it in the browse "..." dialog. Same effect.

Next I removed this setting from the GPO and tried managing it via the restricted groups setting (Computer Configuration > Policies > Windows Settings > Security Settings > Restricted Groups).

I chose to control the Administrators group and then set those two to be members.

However through testing this actually clears out any other members that someone might have added manually on a given server and sets the members to only those that appear in this group. I only saw this once I ran a "gpupdate /force". I tried adding a member manually and then ran that command and then rechecked and the member was removed whom I had manually added.

How do we make sure certain users or members exist in the built in administrators group without preventing other members being added manually?

This is Windows Server 2008 R2 AD and client system.
Comment
Watch Question

Brad GrouxSenior Manager (Wintel Engineering)

Commented:
The preferred way of managing local users and groups is through Group Policy Preferences, this will allow you to do everything you need.

http://www.grouppolicy.biz/2010/01/how-to-use-group-policy-preferences-to-secure-local-administrator-groups/

Author

Commented:
Brad, I've read that article. in my post I explained that doing that did not work. It created a new group not updating the actual built-in one.
Systems Administrator
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Author

Commented:
Thanks Steven. That's what I ended up doing on a test system and it worked perfectly. It's very odd. It doesn't make sense that this is what we have to do but it does work if I just type it in.

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.