<div>
check the group policy that you have in place
</div>


<div>
I checked the GPO attached to the staff users OU &nbsp;and the Computer OU and cant find any settings related with local administrator membership. Is there a way to find as where this setting is applied on a GPO<br />
Please help .<br />
Thanks
</div>


<div>
I have only one XP PC, in out network, i will add a user tomorrow and replicate the problem and see if the user get deleted after i do a GPupdate.<br />
<br />
Do i need to run the GP modelling on the DC for the Staff OU or the computer OU
</div>


<div>
In AD- user properties- under Member of tab -<br />
User is member of &nbsp;<br />
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;Domain users<br />
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;Teachers<br />
<br />
I am trying to run the GP modelling wizard, on the User security Groups window.<br />
By default , Under Security groups- <br />
Authenticated Users <br />
Everyone is populated ,<br />
<br />
Do i need to add the teachers &nbsp;and Domain users group as well group here.
</div>


<div>
On the Default domain policy. Computer configuration- windows settings-security settings-Restricted groups- Under the group name, I can see Power users and member for this group are DOMAIN\teachers.<br />
<br />
But after running the group policy modelling wizard for specific user, and the specific computer.<br />
I went through the settings and in the Restricted groups – Groups<br />
Rather than listing Power users group, a number is specified as shown in the snapshot.<br />
(Wondering if this might have changed, when migrated from Windows 2008 DC to windows 2012 DC)<br />
<br />
On the Default domain GPO - Computer configuration- windows settings-security settings-Restricted groups- On the right hand side pane, when I right click – Add a group and put Power Users and click check names, it says names not found. I was wondering why it is not listing as power users, when a group policy modelling report is generated.<br />
Not sure if this could be the underlying problem.<br />
<br />
If this is not supplying enough information, I can post the complete result generated by Group policy modelling wizard.<br />
Thanks<br />
<a href="https://filedb.experts-exchange.com/incoming/2016/10_w43/1122540/Default-domain-Policy.png" target="_blank" class="file-inline" title="Default-domain-Policy (41 KB)"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512"><path d="M67.508 468.467c-58.005-58.013-58.016-151.92 0-209.943l225.011-225.04c44.643-44.645 117.279-44.645 161.92 0 44.743 44.749 44.753 117.186 0 161.944l-189.465 189.49c-31.41 31.413-82.518 31.412-113.926.001-31.479-31.482-31.49-82.453 0-113.944L311.51 110.491c4.687-4.687 12.286-4.687 16.972 0l16.967 16.971c4.685 4.686 4.685 12.283 0 16.969L184.983 304.917c-12.724 12.724-12.73 33.328 0 46.058 12.696 12.697 33.356 12.699 46.054-.001l189.465-189.489c25.987-25.989 25.994-68.06.001-94.056-25.931-25.934-68.119-25.932-94.049 0l-225.01 225.039c-39.249 39.252-39.258 102.795-.001 142.057 39.285 39.29 102.885 39.287 142.162-.028A739446.174 739446.174 0 0 1 439.497 238.49c4.686-4.687 12.282-4.684 16.969.004l16.967 16.971c4.685 4.686 4.689 12.279.004 16.965a755654.128 755654.128 0 0 0-195.881 195.996c-58.034 58.092-152.004 58.093-210.048.041z"/></svg>Default-domain-Policy.png</a><br />
<a href="https://filedb.experts-exchange.com/incoming/2016/10_w43/1122541/GPO-modelling-wizard.png" target="_blank" class="file-inline" title="GPO-modelling-wizard (41 KB)"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512"><path d="M67.508 468.467c-58.005-58.013-58.016-151.92 0-209.943l225.011-225.04c44.643-44.645 117.279-44.645 161.92 0 44.743 44.749 44.753 117.186 0 161.944l-189.465 189.49c-31.41 31.413-82.518 31.412-113.926.001-31.479-31.482-31.49-82.453 0-113.944L311.51 110.491c4.687-4.687 12.286-4.687 16.972 0l16.967 16.971c4.685 4.686 4.685 12.283 0 16.969L184.983 304.917c-12.724 12.724-12.73 33.328 0 46.058 12.696 12.697 33.356 12.699 46.054-.001l189.465-189.489c25.987-25.989 25.994-68.06.001-94.056-25.931-25.934-68.119-25.932-94.049 0l-225.01 225.039c-39.249 39.252-39.258 102.795-.001 142.057 39.285 39.29 102.885 39.287 142.162-.028A739446.174 739446.174 0 0 1 439.497 238.49c4.686-4.687 12.282-4.684 16.969.004l16.967 16.971c4.685 4.686 4.689 12.279.004 16.965a755654.128 755654.128 0 0 0-195.881 195.996c-58.034 58.092-152.004 58.093-210.048.041z"/></svg>GPO-modelling-wizard.png</a>
</div>


GPO-modelling-wizard.png

Default-domain-Policy.png

<div>
<div class="content wysiwyg-content">
Hi<br />
<br />
We were having Windows 2008 Domain controllers and migrated our DCs to &nbsp;Windows 2012.<br />
When we had Windows 2008 DCs we had Windows XP PCs in our network. So on the XP &nbsp;PC if &nbsp;we go to computer management – Local users and groups- Groups and here if I add any user to the administrators group, they were successfully added and the users were able to have local admin access to their PC.<br />
<br />
Now since we migrated to windows 2012 and windows 7, if go to the user PC log in as domain administrator and add them to the local administrator group and if I do a GP update/ force on the user PC and check if the users still is added in the local administrator group. I can see the user is removed.<br />
No sure why the user is removed from them Local administrator group when a GPupdate &nbsp;/force is done on the user PC.<br />
Any help to sort this will be great <br />
Thanks in advance
</div>
</div>


Hi

We were having Windows 2008 Domain controllers and migrated our DCs to  Windows 2012.
When we had Windows 2008 DCs we had Windows XP PCs in our network. So on the XP  PC if  we go to computer management – Local users and groups- Groups and here if I add any user to the administrators group, they were successfully added and the users were able to have local admin access to their PC.

Now since we migrated to windows 2012 and windows 7, if go to the user PC log in as domain administrator and add them to the local administrator group and if I do a GP update/ force on the user PC and check if the users still is added in the local administrator group. I can see the user is removed.
No sure why the user is removed from them Local administrator group when a GPupdate  /force is done on the user PC.
Any help to sort this will be great 
Thanks in advance

Why a Local administrator membership is removed when a GPupdate  /force is done on the user PC

Active Directory (AD) is a Microsoft brand for identity-related capabilities. In the on-premises world, Windows Server AD provides a set of identity capabilities and services, and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). This topic includes all things Active Directory including DNS, Group Policy, DFS, troubleshooting, ADFS, and all other topics under the Microsoft AD and identity umbrella.

Active Directory

Windows 7 is an operating system from Microsoft. Features include multi-touch support, a redesigned Windows Shell with a new taskbar, referred to as the Superbar, a home networking system called HomeGroup, and performance improvements.