• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 226
  • Last Modified:

Why a Local administrator membership is removed when a GPupdate /force is done on the user PC

Hi

We were having Windows 2008 Domain controllers and migrated our DCs to  Windows 2012.
When we had Windows 2008 DCs we had Windows XP PCs in our network. So on the XP  PC if  we go to computer management – Local users and groups- Groups and here if I add any user to the administrators group, they were successfully added and the users were able to have local admin access to their PC.

Now since we migrated to windows 2012 and windows 7, if go to the user PC log in as domain administrator and add them to the local administrator group and if I do a GP update/ force on the user PC and check if the users still is added in the local administrator group. I can see the user is removed.
No sure why the user is removed from them Local administrator group when a GPupdate  /force is done on the user PC.
Any help to sort this will be great
Thanks in advance
0
lianne143
Asked:
lianne143
  • 4
  • 4
  • 2
  • +2
7 Solutions
 
Belal KhalladSR ConsultantCommented:
check the group policy that you have in place
0
 
Dustin SaundersDirector of OperationsCommented:
I'd start by looking at the GPOs.  Look at all of the ones applied to the computer or group the computer is in, is there anything in:

User Configuration > Preferences > Control Panel, then Right Click on Local Users and Groups

This is where you can update local group membership, including removing members.
0
 
lianne143Author Commented:
I checked the GPO attached to the staff users OU  and the Computer OU and cant find any settings related with local administrator membership. Is there a way to find as where this setting is applied on a GPO
Please help .
Thanks
0
Never miss a deadline with monday.com

The revolutionary project management tool is here!   Plan visually with a single glance and make sure your projects get done.

 
Dustin SaundersDirector of OperationsCommented:
Are the computers in a group that could be getting the settings?

If you run the GP modeling wizard do you see anything related in the settings applied to the computer?
0
 
lianne143Author Commented:
I have only one XP PC, in out network, i will add a user tomorrow and replicate the problem and see if the user get deleted after i do a GPupdate.

Do i need to run the GP modelling on the DC for the Staff OU or the computer OU
0
 
Dustin SaundersDirector of OperationsCommented:
You can run it against any DC, but pick a user from that computer and the computer itself on the User and Computer selection, and you should be able to see everything that applies.
0
 
lianne143Author Commented:
In AD- user properties- under Member of tab -
User is member of  
               Domain users
                   Teachers

I am trying to run the GP modelling wizard, on the User security Groups window.
By default , Under Security groups-
Authenticated Users
Everyone is populated ,

Do i need to add the teachers  and Domain users group as well group here.
0
 
Dustin SaundersDirector of OperationsCommented:
I would do:
  • Any domain controller running Windows Server 2003 or later
  • Select the specific user, and the specific computer (not the containers)
  • Default on all other screens

You want to see everything that is getting applied, from there you can hunt down the policy that may be causing the problem.
0
 
Niten KumarPrincipal Systems AdministratorCommented:
Try gpresult /H GPReport.html
0
 
McKnifeCommented:
Of course this is a GPO: restricted groups. Read http://www.windowsecurity.com/articles-tutorials/windows_os_security/Using-Restricted-Groups.html
To confirm, visit such a client and, as admin, start rsop.msc and see whether this policy is in use. If not, it could also be this: https://technet.microsoft.com/en-us/library/cc732525(v=ws.11).aspx
To confirm, open cmd as administrator (right click on cmd, select "run as administrator") on such a client. Then, launch:
gpresult /h %temp%\result.html /f & %temp%\result.html

Open in new window

A website with all applied settings will appear. On it, browse to Computer Configuration or User Configuration , expand the Preferences folder, and then expand the Control Panel Settings folder.
Right-click the Local Users and Groups node
0
 
lianne143Author Commented:
On the Default domain policy. Computer configuration- windows settings-security settings-Restricted groups- Under the group name, I can see Power users and member for this group are DOMAIN\teachers.

But after running the group policy modelling wizard for specific user, and the specific computer.
I went through the settings and in the Restricted groups – Groups
Rather than listing Power users group, a number is specified as shown in the snapshot.
(Wondering if this might have changed, when migrated from Windows 2008 DC to windows 2012 DC)

On the Default domain GPO - Computer configuration- windows settings-security settings-Restricted groups- On the right hand side pane, when I right click – Add a group and put Power Users and click check names, it says names not found. I was wondering why it is not listing as power users, when a group policy modelling report is generated.
Not sure if this could be the underlying problem.

If this is not supplying enough information, I can post the complete result generated by Group policy modelling wizard.
Thanks
Default-domain-Policy.png
GPO-modelling-wizard.png
0
 
McKnifeCommented:
I wonder why you go your own route instead of following the outlined steps. That would be so much easier, so please do that.
About power users: that group does work on windows xp. Not on vista/7/8/8.1/10, because it's deprecated.
0

Featured Post

Easily manage email signatures in Office 365

Managing email signatures in Office 365 can be a challenging task if you don't have the right tool. CodeTwo Email Signatures for Office 365 will help you implement a unified email signature look, no matter what email client is used by users. Test it for free!

  • 4
  • 4
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now