none
Adding a group to the BUILTIN\Administrators, group is deleted and added at each GPO refresh

    Question

  • Hello,
    I have created a GPO to add a domain group to the BUILTIN\Administrators group on each of our server.
    The action is set on Update because 'Remove this item when no longer applied' is checked.

    The GPO is working as it should as the group is well added to the Administrators but if I look in the eventlog I can see it is done at each GPO refresh.
    I can see :
    Event 4733 - A member was removed from a security-enabled local group.
    Event 4735 - A security-enabled local group was changed.
    Event 4732 - A member was added to a security-enabled local group.
    Event 4735 - A security-enabled local group was changed.

    I thought that as nothing had changed for the GPP (so, nothing to update) the group wouldn't not be deleted and then re-added.

    Is there a way to avoid this behaviour ?

    Thanks for your help

    Marc

    Monday, October 17, 2016 8:36 AM

Answers

All replies

  • Hi Marc,
    Unlike policy settings, by default preference items are not removed when the hosting GPO becomes out of scope for the user or computer. However, if the Remove this item when it is no longer applied option is selected, the preference extension determines if the preference item should not apply to targeted users or computers (out of scope). If the preference extension determines the preference item is out of scope, it removes the settings associated with the preference item.
    Selecting this option changes the action to Replace. During Group Policy application, the preference extension recreates (deletes and creates) the results of the preference item. please see more details from:
    Configure Common Options
    https://technet.microsoft.com/en-us/library/cc772371(v=ws.11).aspx
    So, please have a try to uncheck Remove this item when it is no longer applied option and see if it works then.
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, October 18, 2016 2:45 AM
    Moderator
  • Hello Wendy,

    Thanks for your answer but in my case despite the setting 'remove this item when it is no longer applied' was on Yes, the action was on Update because when I checked it a warning appeared
    asking what I wanted to do : remove the group or remove the members added to the group.
    - Removing the group would change the action mode to Replace (but I don't want to remove the BUILTIN\Administrators :-) ).
    - Removing the members added to the group would change the action mode to Update.

    So in my case I selected 'removing the members' as my goal was to remove the custom admin group from the BUILTIN\Administrators.

    This it what I have :

    Nonetheless I did what you proposed, I have unchecked the setting 'remove this item when it is no longer applied', did a couple of gpupdate /force on a machine and indeed, no more event 4733/4732 !
    Great !

    But to be sure, I tried again to check the setting 'remove this item when it is no longer applied' and choose to remove the members so the action mode is well on Update and not Replace.
    As soon as I do that, the event log is filled with event 4733/4732 at each GPO refresh.

    So yes, this setting is the culprit, I didn't thought about it and I thank you for showing it to me.
    But on the other hand couldn't we call that a bug because even the action mode is on Update, the behaviour is the one of the Replace action mode, don't you think ?
    In the documentation (the link you gave me) it is only mentioned about the Replace mode when you check the setting and not the Update mode.

    Thanks again for you help

    Marc



    Tuesday, October 18, 2016 5:33 AM
  • > Event 4733 - A member was removed from a security-enabled local group.
     
    Is there any other policy that might first clean out Administrators?
    Otherwise, enable GPP debug logging and check if it really removes/adds
    the group. If yes, I'd call this a bug (or at least "does not work as
    expected"), and it might be worth rising a call with MSFT support. If
    you are using W7/2008R2, you will not get a fix anyway, both are in
    extended support already :)
     
    Tuesday, October 18, 2016 9:37 AM
  • Hello Martin,

    Thanks for your answer.
    We don't have any other GPO cleaning the Administrators group.
    I will try the GPP debug logging as soon as possible and post the results here.
    We have confirmed that the problem is occurring on Windows Server 2008R2 and 2012R2.

    Marc

    Thursday, October 20, 2016 1:17 PM
  • > I will try the GPP debug logging as soon as possible and post the
    > results here.
     
    Ok. And you might map the entries in the debug log with their timestamps
    to your security events.
     
    Friday, October 21, 2016 9:59 AM
  • Hello,
    I have enabled the GPP logging and it confirmed that despite the GPO action being set on Update, it removes first the group and then add it again.

    Here is a part of the log when the GPO has its setting 'Remove this item when no longer applied' unchecked :

    2016-10-24 09:34:40.271 [pid=0x330,tid=0x990] {6D4A79E4-529C-4481-ABD0-F5BD7EA93BA7}
    2016-10-24 09:34:40.271 [pid=0x330,tid=0x990] Starting class <Group> - Administrators (built-in).
    2016-10-24 09:34:40.271 [pid=0x330,tid=0x990] Policy is not flagged for removal.
    2016-10-24 09:34:40.271 [pid=0x330,tid=0x990] Completed class <Group> - Administrators (built-in).
    2016-10-24 09:34:40.271 [pid=0x330,tid=0x990] Completed class <Groups>.
    2016-10-24 09:34:40.271 [pid=0x330,tid=0x990] Completed package execution.
    2016-10-24 09:34:40.271 [pid=0x330,tid=0x990] Completed execution of removal package.
    2016-10-24 09:34:40.271 [pid=0x330,tid=0x990] Completed remove GPH.
    2016-10-24 09:34:40.271 [pid=0x330,tid=0x990] Started applying policy.
    2016-10-24 09:34:40.271 [pid=0x330,tid=0x990] Opened file.
    2016-10-24 09:34:40.271 [pid=0x330,tid=0x990] Got file size.
    2016-10-24 09:34:40.271 [pid=0x330,tid=0x990] Created file buffer.
    2016-10-24 09:34:40.287 [pid=0x330,tid=0x990] Completed read file data.
    2016-10-24 09:34:40.287 [pid=0x330,tid=0x990] Terminated file buffer.
    2016-10-24 09:34:40.287 [pid=0x330,tid=0x990] Closed file handle.
    2016-10-24 09:34:40.287 [pid=0x330,tid=0x990] Read GPE XML data file (604 bytes total).
    2016-10-24 09:34:40.287 [pid=0x330,tid=0x990] Completed parse of GPE XML data.
    2016-10-24 09:34:40.287 [pid=0x330,tid=0x990] Completed loading of package.
    2016-10-24 09:34:40.287 [pid=0x330,tid=0x990] Completed get tree root.
    2016-10-24 09:34:40.287 [pid=0x330,tid=0x990] Started package execution.
    2016-10-24 09:34:40.287 [pid=0x330,tid=0x990] Set package timestamp variable (2016-10-24 07:34:40).
    2016-10-24 09:34:40.287 [pid=0x330,tid=0x990] Starting class <Groups>.
    2016-10-24 09:34:40.287 [pid=0x330,tid=0x990] RunOnce value created [SUCCEEDED(S_FALSE)]
    2016-10-24 09:34:40.287 [pid=0x330,tid=0x990] Handle Children.
    2016-10-24 09:34:40.287 [pid=0x330,tid=0x990] {6D4A79E4-529C-4481-ABD0-F5BD7EA93BA7}
    2016-10-24 09:34:40.287 [pid=0x330,tid=0x990] Starting class <Group> - Administrators (built-in).
    2016-10-24 09:34:40.287 [pid=0x330,tid=0x990] Adding child elements to RSOP.
    2016-10-24 09:34:40.287 [pid=0x330,tid=0x990] LocateLocalGroup[SID]
    2016-10-24 09:34:40.303 [pid=0x330,tid=0x990] UpdateLocalGroup
    2016-10-24 09:34:40.303 [pid=0x330,tid=0x990] updateLocalGroup
    2016-10-24 09:34:40.303 [pid=0x330,tid=0x990] handleUserAction
    2016-10-24 09:34:40.303 [pid=0x330,tid=0x990] Properties handled.
    2016-10-24 09:34:40.303 [pid=0x330,tid=0x990] RunOnce value created [SUCCEEDED(S_FALSE)]
    2016-10-24 09:34:40.303 [pid=0x330,tid=0x990] Handle Children.
    2016-10-24 09:34:40.303 [pid=0x330,tid=0x990] EVENT : The computer 'Administrators (built-in)' preference item in the 'IaaS_SA_Configure_Custom_Server_AdminGroup {E23B281C-1CC2-4FF2-8F03-035C60E28FA0}' Group Policy Object applied successfully.
    2016-10-24 09:34:40.303 [pid=0x330,tid=0x990] Completed class <Group> - Administrators (built-in).
    2016-10-24 09:34:40.303 [pid=0x330,tid=0x990] Completed class <Groups>.

    You can clearly see on, the third line that the gpo is not marked for removal.

    Here is the same GPO with the setting 'Remove this item when no longer applied' checked :

    2016-10-24 09:13:09.821 [pid=0x334,tid=0x900] {6D4A79E4-529C-4481-ABD0-F5BD7EA93BA7}
    2016-10-24 09:13:09.821 [pid=0x334,tid=0x900] Starting class <Group> - Administrators (built-in).
    2016-10-24 09:13:09.821 [pid=0x334,tid=0x900] Adding child elements to RSOP.
    2016-10-24 09:13:09.821 [pid=0x334,tid=0x900] LocateLocalGroup[SID]
    2016-10-24 09:13:09.837 [pid=0x334,tid=0x900] Removed group member MSNET\IICTWCCTST002_AdminG
    2016-10-24 09:13:09.837 [pid=0x334,tid=0x900] Properties handled.
    2016-10-24 09:13:09.837 [pid=0x334,tid=0x900] RunOnce value created [SUCCEEDED(S_FALSE)]
    2016-10-24 09:13:09.837 [pid=0x334,tid=0x900] Handle Children.
    2016-10-24 09:13:09.837 [pid=0x334,tid=0x900] EVENT : The computer 'Administrators (built-in)' preference item in the 'IaaS_SA_Configure_Custom_Server_AdminGroup {E23B281C-1CC2-4FF2-8F03-035C60E28FA0}' Group Policy Object was successfully removed.
    2016-10-24 09:13:09.837 [pid=0x334,tid=0x900] Completed class <Group> - Administrators (built-in).
    2016-10-24 09:13:09.837 [pid=0x334,tid=0x900] Completed class <Groups>.
    2016-10-24 09:13:09.837 [pid=0x334,tid=0x900] Completed package execution.
    2016-10-24 09:13:09.837 [pid=0x334,tid=0x900] Completed execution of removal package.
    2016-10-24 09:13:09.837 [pid=0x334,tid=0x900] Completed remove GPH.
    2016-10-24 09:13:09.837 [pid=0x334,tid=0x900] Started applying policy.
    2016-10-24 09:13:09.852 [pid=0x334,tid=0x900] Opened file.
    2016-10-24 09:13:09.852 [pid=0x334,tid=0x900] Got file size.
    2016-10-24 09:13:09.852 [pid=0x334,tid=0x900] Created file buffer.
    2016-10-24 09:13:09.852 [pid=0x334,tid=0x900] Completed read file data.
    2016-10-24 09:13:09.852 [pid=0x334,tid=0x900] Terminated file buffer.
    2016-10-24 09:13:09.852 [pid=0x334,tid=0x900] Closed file handle.
    2016-10-24 09:13:09.852 [pid=0x334,tid=0x900] Read GPE XML data file (604 bytes total).
    2016-10-24 09:13:09.852 [pid=0x334,tid=0x900] Completed parse of GPE XML data.
    2016-10-24 09:13:09.852 [pid=0x334,tid=0x900] Completed loading of package.
    2016-10-24 09:13:09.852 [pid=0x334,tid=0x900] Completed get tree root.
    2016-10-24 09:13:09.852 [pid=0x334,tid=0x900] Started package execution.
    2016-10-24 09:13:09.852 [pid=0x334,tid=0x900] Set package timestamp variable (2016-10-24 07:13:09).
    2016-10-24 09:13:09.852 [pid=0x334,tid=0x900] Starting class <Groups>.
    2016-10-24 09:13:09.852 [pid=0x334,tid=0x900] RunOnce value created [SUCCEEDED(S_FALSE)]
    2016-10-24 09:13:09.852 [pid=0x334,tid=0x900] Handle Children.
    2016-10-24 09:13:09.852 [pid=0x334,tid=0x900] {6D4A79E4-529C-4481-ABD0-F5BD7EA93BA7}
    2016-10-24 09:13:09.852 [pid=0x334,tid=0x900] Starting class <Group> - Administrators (built-in).
    2016-10-24 09:13:09.852 [pid=0x334,tid=0x900] Adding child elements to RSOP.
    2016-10-24 09:13:09.852 [pid=0x334,tid=0x900] LocateLocalGroup[SID]
    2016-10-24 09:13:09.852 [pid=0x334,tid=0x900] UpdateLocalGroup
    2016-10-24 09:13:09.852 [pid=0x334,tid=0x900] updateLocalGroup
    2016-10-24 09:13:09.868 [pid=0x334,tid=0x900] handleUserAction
    2016-10-24 09:13:09.868 [pid=0x334,tid=0x900] Added group member MSNET\IICTWCCTST002_AdminG
    2016-10-24 09:13:09.868 [pid=0x334,tid=0x900] Properties handled.
    2016-10-24 09:13:09.868 [pid=0x334,tid=0x900] RunOnce value created [SUCCEEDED(S_FALSE)]
    2016-10-24 09:13:09.868 [pid=0x334,tid=0x900] Handle Children.
    2016-10-24 09:13:09.868 [pid=0x334,tid=0x900] EVENT : The computer 'Administrators (built-in)' preference item in the 'IaaS_SA_Configure_Custom_Server_AdminGroup {E23B281C-1CC2-4FF2-8F03-035C60E28FA0}' Group Policy Object applied successfully.
    2016-10-24 09:13:09.868 [pid=0x334,tid=0x900] Completed class <Group> - Administrators (built-in).
    2016-10-24 09:13:09.868 [pid=0x334,tid=0x900] Completed class <Groups>.

    Here we can see that the group is indeed removed before being re-added despite the fact that the GPO action mode is on Update (it is even greyed out)

    You can find the event in the logs (delete and add) in the event log at the exact same time.

    Marc

    Monday, October 24, 2016 8:47 AM
  • > Here is the same GPO with the setting 'Remove this item when no longer
    > applied' checked :
     
    To my understanding: As soon as you set "remove when no longer applied",
    the Action is hard coded to replace (no matter what the UI tells you).
    And ok, obviously it should remove the group only if in fact it is not
    applied anymore. Might be a quirk in the code path inside gpprefcli.dll
    - this would require a case with MSFT support.
     
    > despite the fact that the GPO action mode is on Update (it is even
    > greyed out)
     
    This screen shot looks familiar to me :)
     
    Monday, October 24, 2016 10:42 AM
  • I will see with my manager if he wants to open a case.

    I can assure you that it is a screenshot I made on one of my servers ;-)

    Thanks again for all your help.

    Marc

    Monday, October 24, 2016 11:01 AM
  • > I can assure you that it is a screenshot I made on one of my servers ;-)
     
    No problem with that, but it looks exactly the way I blogged about on
    how to delegate permissions in a better way through GPP than through
    User Rights and restricted Groups :)
     
     
    Tuesday, October 25, 2016 3:31 PM