Solved

Why a Local administrator membership is removed when a GPupdate  /force is done on the user PC

Posted on 2016-10-12
12
61 Views
Last Modified: 2016-10-23
Hi

We were having Windows 2008 Domain controllers and migrated our DCs to  Windows 2012.
When we had Windows 2008 DCs we had Windows XP PCs in our network. So on the XP  PC if  we go to computer management – Local users and groups- Groups and here if I add any user to the administrators group, they were successfully added and the users were able to have local admin access to their PC.

Now since we migrated to windows 2012 and windows 7, if go to the user PC log in as domain administrator and add them to the local administrator group and if I do a GP update/ force on the user PC and check if the users still is added in the local administrator group. I can see the user is removed.
No sure why the user is removed from them Local administrator group when a GPupdate  /force is done on the user PC.
Any help to sort this will be great
Thanks in advance
0
Comment
Question by:lianne143
  • 4
  • 4
  • 2
  • +2
12 Comments
 
LVL 3

Expert Comment

by:Belal Khallad
ID: 41840661
check the group policy that you have in place
0
 
LVL 12

Assisted Solution

by:Dustin Saunders
Dustin Saunders earned 125 total points
ID: 41840664
I'd start by looking at the GPOs.  Look at all of the ones applied to the computer or group the computer is in, is there anything in:

User Configuration > Preferences > Control Panel, then Right Click on Local Users and Groups

This is where you can update local group membership, including removing members.
0
 

Author Comment

by:lianne143
ID: 41840805
I checked the GPO attached to the staff users OU  and the Computer OU and cant find any settings related with local administrator membership. Is there a way to find as where this setting is applied on a GPO
Please help .
Thanks
0
 
LVL 12

Assisted Solution

by:Dustin Saunders
Dustin Saunders earned 125 total points
ID: 41840827
Are the computers in a group that could be getting the settings?

If you run the GP modeling wizard do you see anything related in the settings applied to the computer?
0
 

Author Comment

by:lianne143
ID: 41840859
I have only one XP PC, in out network, i will add a user tomorrow and replicate the problem and see if the user get deleted after i do a GPupdate.

Do i need to run the GP modelling on the DC for the Staff OU or the computer OU
0
 
LVL 12

Assisted Solution

by:Dustin Saunders
Dustin Saunders earned 125 total points
ID: 41840867
You can run it against any DC, but pick a user from that computer and the computer itself on the User and Computer selection, and you should be able to see everything that applies.
0
 

Author Comment

by:lianne143
ID: 41840897
In AD- user properties- under Member of tab -
User is member of  
               Domain users
                   Teachers

I am trying to run the GP modelling wizard, on the User security Groups window.
By default , Under Security groups-
Authenticated Users
Everyone is populated ,

Do i need to add the teachers  and Domain users group as well group here.
0
 
LVL 12

Assisted Solution

by:Dustin Saunders
Dustin Saunders earned 125 total points
ID: 41841071
I would do:
  • Any domain controller running Windows Server 2003 or later
  • Select the specific user, and the specific computer (not the containers)
  • Default on all other screens

You want to see everything that is getting applied, from there you can hunt down the policy that may be causing the problem.
0
 
LVL 6

Assisted Solution

by:Niten Kumar
Niten Kumar earned 125 total points
ID: 41841101
Try gpresult /H GPReport.html
0
 
LVL 53

Accepted Solution

by:
McKnife earned 250 total points
ID: 41841470
Of course this is a GPO: restricted groups. Read http://www.windowsecurity.com/articles-tutorials/windows_os_security/Using-Restricted-Groups.html
To confirm, visit such a client and, as admin, start rsop.msc and see whether this policy is in use. If not, it could also be this: https://technet.microsoft.com/en-us/library/cc732525(v=ws.11).aspx
To confirm, open cmd as administrator (right click on cmd, select "run as administrator") on such a client. Then, launch:
gpresult /h %temp%\result.html /f & %temp%\result.html

Open in new window

A website with all applied settings will appear. On it, browse to Computer Configuration or User Configuration , expand the Preferences folder, and then expand the Control Panel Settings folder.
Right-click the Local Users and Groups node
0
 

Author Comment

by:lianne143
ID: 41846011
On the Default domain policy. Computer configuration- windows settings-security settings-Restricted groups- Under the group name, I can see Power users and member for this group are DOMAIN\teachers.

But after running the group policy modelling wizard for specific user, and the specific computer.
I went through the settings and in the Restricted groups – Groups
Rather than listing Power users group, a number is specified as shown in the snapshot.
(Wondering if this might have changed, when migrated from Windows 2008 DC to windows 2012 DC)

On the Default domain GPO - Computer configuration- windows settings-security settings-Restricted groups- On the right hand side pane, when I right click – Add a group and put Power Users and click check names, it says names not found. I was wondering why it is not listing as power users, when a group policy modelling report is generated.
Not sure if this could be the underlying problem.

If this is not supplying enough information, I can post the complete result generated by Group policy modelling wizard.
Thanks
Default-domain-Policy.png
GPO-modelling-wizard.png
0
 
LVL 53

Assisted Solution

by:McKnife
McKnife earned 250 total points
ID: 41846220
I wonder why you go your own route instead of following the outlined steps. That would be so much easier, so please do that.
About power users: that group does work on windows xp. Not on vista/7/8/8.1/10, because it's deprecated.
0

Join & Write a Comment

Suggested Solutions

One of the features I've come to appreciate about Windows 7 and Windows Server 2008 R2 is the ability to pin applications to the task bar. As useful a feature as I've found this, it does have some quirks.  For example, have you ever tried pinning an…
In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now