Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Why a Local administrator membership is removed when a GPupdate  /force is done on the user PC

Posted on 2016-10-12
12
Medium Priority
?
159 Views
Last Modified: 2016-10-23
Hi

We were having Windows 2008 Domain controllers and migrated our DCs to  Windows 2012.
When we had Windows 2008 DCs we had Windows XP PCs in our network. So on the XP  PC if  we go to computer management – Local users and groups- Groups and here if I add any user to the administrators group, they were successfully added and the users were able to have local admin access to their PC.

Now since we migrated to windows 2012 and windows 7, if go to the user PC log in as domain administrator and add them to the local administrator group and if I do a GP update/ force on the user PC and check if the users still is added in the local administrator group. I can see the user is removed.
No sure why the user is removed from them Local administrator group when a GPupdate  /force is done on the user PC.
Any help to sort this will be great
Thanks in advance
0
Comment
Question by:lianne143
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
  • 2
  • +2
12 Comments
 
LVL 4

Expert Comment

by:Belal Khallad
ID: 41840661
check the group policy that you have in place
0
 
LVL 13

Assisted Solution

by:Dustin Saunders
Dustin Saunders earned 500 total points
ID: 41840664
I'd start by looking at the GPOs.  Look at all of the ones applied to the computer or group the computer is in, is there anything in:

User Configuration > Preferences > Control Panel, then Right Click on Local Users and Groups

This is where you can update local group membership, including removing members.
0
 

Author Comment

by:lianne143
ID: 41840805
I checked the GPO attached to the staff users OU  and the Computer OU and cant find any settings related with local administrator membership. Is there a way to find as where this setting is applied on a GPO
Please help .
Thanks
0
Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

 
LVL 13

Assisted Solution

by:Dustin Saunders
Dustin Saunders earned 500 total points
ID: 41840827
Are the computers in a group that could be getting the settings?

If you run the GP modeling wizard do you see anything related in the settings applied to the computer?
0
 

Author Comment

by:lianne143
ID: 41840859
I have only one XP PC, in out network, i will add a user tomorrow and replicate the problem and see if the user get deleted after i do a GPupdate.

Do i need to run the GP modelling on the DC for the Staff OU or the computer OU
0
 
LVL 13

Assisted Solution

by:Dustin Saunders
Dustin Saunders earned 500 total points
ID: 41840867
You can run it against any DC, but pick a user from that computer and the computer itself on the User and Computer selection, and you should be able to see everything that applies.
0
 

Author Comment

by:lianne143
ID: 41840897
In AD- user properties- under Member of tab -
User is member of  
               Domain users
                   Teachers

I am trying to run the GP modelling wizard, on the User security Groups window.
By default , Under Security groups-
Authenticated Users
Everyone is populated ,

Do i need to add the teachers  and Domain users group as well group here.
0
 
LVL 13

Assisted Solution

by:Dustin Saunders
Dustin Saunders earned 500 total points
ID: 41841071
I would do:
  • Any domain controller running Windows Server 2003 or later
  • Select the specific user, and the specific computer (not the containers)
  • Default on all other screens

You want to see everything that is getting applied, from there you can hunt down the policy that may be causing the problem.
0
 
LVL 7

Assisted Solution

by:Niten Kumar
Niten Kumar earned 500 total points
ID: 41841101
Try gpresult /H GPReport.html
0
 
LVL 56

Accepted Solution

by:
McKnife earned 1000 total points
ID: 41841470
Of course this is a GPO: restricted groups. Read http://www.windowsecurity.com/articles-tutorials/windows_os_security/Using-Restricted-Groups.html
To confirm, visit such a client and, as admin, start rsop.msc and see whether this policy is in use. If not, it could also be this: https://technet.microsoft.com/en-us/library/cc732525(v=ws.11).aspx
To confirm, open cmd as administrator (right click on cmd, select "run as administrator") on such a client. Then, launch:
gpresult /h %temp%\result.html /f & %temp%\result.html

Open in new window

A website with all applied settings will appear. On it, browse to Computer Configuration or User Configuration , expand the Preferences folder, and then expand the Control Panel Settings folder.
Right-click the Local Users and Groups node
0
 

Author Comment

by:lianne143
ID: 41846011
On the Default domain policy. Computer configuration- windows settings-security settings-Restricted groups- Under the group name, I can see Power users and member for this group are DOMAIN\teachers.

But after running the group policy modelling wizard for specific user, and the specific computer.
I went through the settings and in the Restricted groups – Groups
Rather than listing Power users group, a number is specified as shown in the snapshot.
(Wondering if this might have changed, when migrated from Windows 2008 DC to windows 2012 DC)

On the Default domain GPO - Computer configuration- windows settings-security settings-Restricted groups- On the right hand side pane, when I right click – Add a group and put Power Users and click check names, it says names not found. I was wondering why it is not listing as power users, when a group policy modelling report is generated.
Not sure if this could be the underlying problem.

If this is not supplying enough information, I can post the complete result generated by Group policy modelling wizard.
Thanks
Default-domain-Policy.png
GPO-modelling-wizard.png
0
 
LVL 56

Assisted Solution

by:McKnife
McKnife earned 1000 total points
ID: 41846220
I wonder why you go your own route instead of following the outlined steps. That would be so much easier, so please do that.
About power users: that group does work on windows xp. Not on vista/7/8/8.1/10, because it's deprecated.
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
If you’ve ever visited a web page and noticed a cool font that you really liked the look of, but couldn’t figure out which font it was so that you could use it for your own work, then this video is for you! In this Micro Tutorial, you'll learn yo…
Want to learn how to record your desktop screen without having to use an outside camera. Click on this video and learn how to use the cool google extension called "Screencastify"! Step 1: Open a new google tab Step 2: Go to the left hand upper corn…
Suggested Courses

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question