GPO removed local administrators


  • A GPO was configured to remove all members from the local administrators group on workstations then add the domain administrator as a member. 

    This worked fine in testing so the GPO went live but has resulted in several workstations having all members removed from the local administrators group except for the local administrator account which is disabled on some PCs. 

    The GPO was altered to no longer remove members from the local administrator group and only to add members however even after reboot the GPO is not applying to the problem PCs. 

    I assumed the GPOs would still apply using the workstation AD account but this doesn't look to be the case.

    Does a domain administrator account need to be a member of the local administrators group in order for GPOs to apply?

    Wednesday, May 9, 2018 10:45 AM

All replies

  • Hello,


    Best Regards,

    Wednesday, May 9, 2018 12:20 PM
  • Then why isn't my GPO to add the domain administrator to the local administrator group applying to the PC after reboot.

    Can anyone assist?

    Thursday, May 17, 2018 11:16 AM
  • Can you give us detail on the GPO, Which part is configured (User or Computer) ? Which group is listed in the security filtering (Not the real name) ? If the user or the workstation is member of this group ?

    Did you try to run a gpupdate to see if it is applied after ?

    Best Regards,

    Thursday, May 17, 2018 12:06 PM
  • The GPO is linked to the OU containing computer accounts.

    Security filtering is set to allow Authenticated Users, the built in group containing all user and computer accounts. 

    Using "Computer Configuration>Preferences>Control Panel Settings>Local Users and Groups" to make the changes to the 'Local Administrators'group.

    This GPO was initially set to delete and add members to the 'Local Administrators' group which caused the issue of said group being empty on several computers.

    As soon as I detected the issue I altered the GPO to no longer delete members of the 'Local Administrators' group, it now only adds members but is not applying to the problem computers. 

    Friday, May 18, 2018 11:57 AM
  • The preference is on which mode (Create or Update) ?

    Did you try to add a user in the local Administrators group manually and run a gpupdate /force to see if the member is now removed ?

    Best Regards,

    Friday, May 18, 2018 12:16 PM
  • It is set to Update 'Administrators (Built In)'.

    I cannot add a user to the local Administrators group manualy as the initial GPO removed all user accounts and groups except for the local Administrator account which is disabled.

    Wednesday, May 30, 2018 10:30 AM
  • Ok so which part of the GPO is configured Computer or User ?

    Best Regards,

    Wednesday, May 30, 2018 1:05 PM