Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Why a Local administrator membership is removed when a GPupdate  /force is done on the user PC

Posted on 2016-10-12
12
81 Views
Last Modified: 2016-10-23
Hi

We were having Windows 2008 Domain controllers and migrated our DCs to  Windows 2012.
When we had Windows 2008 DCs we had Windows XP PCs in our network. So on the XP  PC if  we go to computer management – Local users and groups- Groups and here if I add any user to the administrators group, they were successfully added and the users were able to have local admin access to their PC.

Now since we migrated to windows 2012 and windows 7, if go to the user PC log in as domain administrator and add them to the local administrator group and if I do a GP update/ force on the user PC and check if the users still is added in the local administrator group. I can see the user is removed.
No sure why the user is removed from them Local administrator group when a GPupdate  /force is done on the user PC.
Any help to sort this will be great
Thanks in advance
0
Comment
Question by:lianne143
  • 4
  • 4
  • 2
  • +2
12 Comments
 
LVL 4

Expert Comment

by:Belal Khallad
ID: 41840661
check the group policy that you have in place
0
 
LVL 12

Assisted Solution

by:Dustin Saunders
Dustin Saunders earned 125 total points
ID: 41840664
I'd start by looking at the GPOs.  Look at all of the ones applied to the computer or group the computer is in, is there anything in:

User Configuration > Preferences > Control Panel, then Right Click on Local Users and Groups

This is where you can update local group membership, including removing members.
0
 

Author Comment

by:lianne143
ID: 41840805
I checked the GPO attached to the staff users OU  and the Computer OU and cant find any settings related with local administrator membership. Is there a way to find as where this setting is applied on a GPO
Please help .
Thanks
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 12

Assisted Solution

by:Dustin Saunders
Dustin Saunders earned 125 total points
ID: 41840827
Are the computers in a group that could be getting the settings?

If you run the GP modeling wizard do you see anything related in the settings applied to the computer?
0
 

Author Comment

by:lianne143
ID: 41840859
I have only one XP PC, in out network, i will add a user tomorrow and replicate the problem and see if the user get deleted after i do a GPupdate.

Do i need to run the GP modelling on the DC for the Staff OU or the computer OU
0
 
LVL 12

Assisted Solution

by:Dustin Saunders
Dustin Saunders earned 125 total points
ID: 41840867
You can run it against any DC, but pick a user from that computer and the computer itself on the User and Computer selection, and you should be able to see everything that applies.
0
 

Author Comment

by:lianne143
ID: 41840897
In AD- user properties- under Member of tab -
User is member of  
               Domain users
                   Teachers

I am trying to run the GP modelling wizard, on the User security Groups window.
By default , Under Security groups-
Authenticated Users
Everyone is populated ,

Do i need to add the teachers  and Domain users group as well group here.
0
 
LVL 12

Assisted Solution

by:Dustin Saunders
Dustin Saunders earned 125 total points
ID: 41841071
I would do:
  • Any domain controller running Windows Server 2003 or later
  • Select the specific user, and the specific computer (not the containers)
  • Default on all other screens

You want to see everything that is getting applied, from there you can hunt down the policy that may be causing the problem.
0
 
LVL 6

Assisted Solution

by:Niten Kumar
Niten Kumar earned 125 total points
ID: 41841101
Try gpresult /H GPReport.html
0
 
LVL 54

Accepted Solution

by:
McKnife earned 250 total points
ID: 41841470
Of course this is a GPO: restricted groups. Read http://www.windowsecurity.com/articles-tutorials/windows_os_security/Using-Restricted-Groups.html
To confirm, visit such a client and, as admin, start rsop.msc and see whether this policy is in use. If not, it could also be this: https://technet.microsoft.com/en-us/library/cc732525(v=ws.11).aspx
To confirm, open cmd as administrator (right click on cmd, select "run as administrator") on such a client. Then, launch:
gpresult /h %temp%\result.html /f & %temp%\result.html

Open in new window

A website with all applied settings will appear. On it, browse to Computer Configuration or User Configuration , expand the Preferences folder, and then expand the Control Panel Settings folder.
Right-click the Local Users and Groups node
0
 

Author Comment

by:lianne143
ID: 41846011
On the Default domain policy. Computer configuration- windows settings-security settings-Restricted groups- Under the group name, I can see Power users and member for this group are DOMAIN\teachers.

But after running the group policy modelling wizard for specific user, and the specific computer.
I went through the settings and in the Restricted groups – Groups
Rather than listing Power users group, a number is specified as shown in the snapshot.
(Wondering if this might have changed, when migrated from Windows 2008 DC to windows 2012 DC)

On the Default domain GPO - Computer configuration- windows settings-security settings-Restricted groups- On the right hand side pane, when I right click – Add a group and put Power Users and click check names, it says names not found. I was wondering why it is not listing as power users, when a group policy modelling report is generated.
Not sure if this could be the underlying problem.

If this is not supplying enough information, I can post the complete result generated by Group policy modelling wizard.
Thanks
Default-domain-Policy.png
GPO-modelling-wizard.png
0
 
LVL 54

Assisted Solution

by:McKnife
McKnife earned 250 total points
ID: 41846220
I wonder why you go your own route instead of following the outlined steps. That would be so much easier, so please do that.
About power users: that group does work on windows xp. Not on vista/7/8/8.1/10, because it's deprecated.
0

Featured Post

Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
This script can help you clean up your user profile database by comparing profiles to Active Directory users in a particular OU, and removing the profiles that don't match.
This Micro Tutorial will go in depth within Systems and Security in Windows 7 and will go into detail regarding Action Center, Windows Firewall, System, etc. This will be demonstrated using Windows 7 operating system.
The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…

838 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question