GPO removed local administrators


  • A GPO was configured to remove all members from the local administrators group on workstations then add the domain administrator as a member. 

    This worked fine in testing so the GPO went live but has resulted in several workstations having all members removed from the local administrators group except for the local administrator account which is disabled on some PCs. 

    The GPO was altered to no longer remove members from the local administrator group and only to add members however even after reboot the GPO is not applying to the problem PCs. 

    I assumed the GPOs would still apply using the workstation AD account but this doesn't look to be the case.

    Does a domain administrator account need to be a member of the local administrators group in order for GPOs to apply?

    Mittwoch, 9. Mai 2018 10:45

Alle Antworten

  • Hello,


    Best Regards,

    Mittwoch, 9. Mai 2018 12:20
  • Then why isn't my GPO to add the domain administrator to the local administrator group applying to the PC after reboot.

    Can anyone assist?

    Donnerstag, 17. Mai 2018 11:16
  • Can you give us detail on the GPO, Which part is configured (User or Computer) ? Which group is listed in the security filtering (Not the real name) ? If the user or the workstation is member of this group ?

    Did you try to run a gpupdate to see if it is applied after ?

    Best Regards,

    Donnerstag, 17. Mai 2018 12:06
  • The GPO is linked to the OU containing computer accounts.

    Security filtering is set to allow Authenticated Users, the built in group containing all user and computer accounts. 

    Using "Computer Configuration>Preferences>Control Panel Settings>Local Users and Groups" to make the changes to the 'Local Administrators'group.

    This GPO was initially set to delete and add members to the 'Local Administrators' group which caused the issue of said group being empty on several computers.

    As soon as I detected the issue I altered the GPO to no longer delete members of the 'Local Administrators' group, it now only adds members but is not applying to the problem computers. 

    Freitag, 18. Mai 2018 11:57
  • The preference is on which mode (Create or Update) ?

    Did you try to add a user in the local Administrators group manually and run a gpupdate /force to see if the member is now removed ?

    Best Regards,

    Freitag, 18. Mai 2018 12:16
  • It is set to Update 'Administrators (Built In)'.

    I cannot add a user to the local Administrators group manualy as the initial GPO removed all user accounts and groups except for the local Administrator account which is disabled.

    Mittwoch, 30. Mai 2018 10:30
  • Ok so which part of the GPO is configured Computer or User ?

    Best Regards,

    Mittwoch, 30. Mai 2018 13:05