Why a Local administrator membership is removed when a GPupdate /force is done on the user PC


We were having Windows 2008 Domain controllers and migrated our DCs to  Windows 2012.
When we had Windows 2008 DCs we had Windows XP PCs in our network. So on the XP  PC if  we go to computer management – Local users and groups- Groups and here if I add any user to the administrators group, they were successfully added and the users were able to have local admin access to their PC.

Now since we migrated to windows 2012 and windows 7, if go to the user PC log in as domain administrator and add them to the local administrator group and if I do a GP update/ force on the user PC and check if the users still is added in the local administrator group. I can see the user is removed.
No sure why the user is removed from them Local administrator group when a GPupdate  /force is done on the user PC.
Any help to sort this will be great
Thanks in advance
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Belal KhalladSR ConsultantCommented:
check the group policy that you have in place
Dustin SaundersDirector of OperationsCommented:
I'd start by looking at the GPOs.  Look at all of the ones applied to the computer or group the computer is in, is there anything in:

User Configuration > Preferences > Control Panel, then Right Click on Local Users and Groups

This is where you can update local group membership, including removing members.
lianne143Author Commented:
I checked the GPO attached to the staff users OU  and the Computer OU and cant find any settings related with local administrator membership. Is there a way to find as where this setting is applied on a GPO
Please help .
CEOs need to know what they should worry about

Nearly every week during the past few years has featured a headline about the latest data breach, malware attack, ransomware demand, or unrecoverable corporate data loss. Those stories are frequently followed by news that the CEOs at those companies were forced to resign.

Dustin SaundersDirector of OperationsCommented:
Are the computers in a group that could be getting the settings?

If you run the GP modeling wizard do you see anything related in the settings applied to the computer?
lianne143Author Commented:
I have only one XP PC, in out network, i will add a user tomorrow and replicate the problem and see if the user get deleted after i do a GPupdate.

Do i need to run the GP modelling on the DC for the Staff OU or the computer OU
Dustin SaundersDirector of OperationsCommented:
You can run it against any DC, but pick a user from that computer and the computer itself on the User and Computer selection, and you should be able to see everything that applies.
lianne143Author Commented:
In AD- user properties- under Member of tab -
User is member of  
               Domain users

I am trying to run the GP modelling wizard, on the User security Groups window.
By default , Under Security groups-
Authenticated Users
Everyone is populated ,

Do i need to add the teachers  and Domain users group as well group here.
Dustin SaundersDirector of OperationsCommented:
I would do:
  • Any domain controller running Windows Server 2003 or later
  • Select the specific user, and the specific computer (not the containers)
  • Default on all other screens

You want to see everything that is getting applied, from there you can hunt down the policy that may be causing the problem.
Niten KumarPrincipal Systems AdministratorCommented:
Try gpresult /H GPReport.html
Of course this is a GPO: restricted groups. Read http://www.windowsecurity.com/articles-tutorials/windows_os_security/Using-Restricted-Groups.html
To confirm, visit such a client and, as admin, start rsop.msc and see whether this policy is in use. If not, it could also be this: https://technet.microsoft.com/en-us/library/cc732525(v=ws.11).aspx
To confirm, open cmd as administrator (right click on cmd, select "run as administrator") on such a client. Then, launch:
gpresult /h %temp%\result.html /f & %temp%\result.html

Open in new window

A website with all applied settings will appear. On it, browse to Computer Configuration or User Configuration , expand the Preferences folder, and then expand the Control Panel Settings folder.
Right-click the Local Users and Groups node

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
lianne143Author Commented:
On the Default domain policy. Computer configuration- windows settings-security settings-Restricted groups- Under the group name, I can see Power users and member for this group are DOMAIN\teachers.

But after running the group policy modelling wizard for specific user, and the specific computer.
I went through the settings and in the Restricted groups – Groups
Rather than listing Power users group, a number is specified as shown in the snapshot.
(Wondering if this might have changed, when migrated from Windows 2008 DC to windows 2012 DC)

On the Default domain GPO - Computer configuration- windows settings-security settings-Restricted groups- On the right hand side pane, when I right click – Add a group and put Power Users and click check names, it says names not found. I was wondering why it is not listing as power users, when a group policy modelling report is generated.
Not sure if this could be the underlying problem.

If this is not supplying enough information, I can post the complete result generated by Group policy modelling wizard.
I wonder why you go your own route instead of following the outlined steps. That would be so much easier, so please do that.
About power users: that group does work on windows xp. Not on vista/7/8/8.1/10, because it's deprecated.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.