none
Domain members diappear

    Question

  • We have some crazy stuff going on. We can add members to Domain Admins and they stay some time, but after a while they are removed. I can add a group into domain admins and after a while they go away too. Now the users that are currently in the DA group remain without issue, but if you attempt to add someone they are removed. I have checked the restricted groups GPO and the domain admins are listed as a group, members say the same DA, and Member of is administrators. I have checked the permissions on AdminSDHolder CN on AD, and permissions match up to what MS says they should.

    Can I get some other ideas on what to check?

    Thank you,

    Mike

    Thursday, November 15, 2012 8:19 PM

Answers

  • Are you saying that you are using Restricted Groups within a GPO? Using restrictied groups will remove all curent members of the group and explictly add what's listed in the GPO.

    Enfo Zipper Christoffer Andersson – Principal Advisor

    Friday, November 16, 2012 2:22 PM
  • If restricted group policy is not configured correctly it will not only add required members to local Administratiors, but it will remove any members that were in local Admins previously.You need to select the bottom box under "This Group is a member of," so it won't wipe out current members on all machines.See below link for more details.

    If you turn off restricted groups,the groups will simply be left as they were set by the restricted groups settings. There won't be any rollback,you need to add the required users/groups again. 

    Using Restricted Groups
    http://www.windowsecurity.com/articles/Using-Restricted-Groups.html
    http://www.frickelsoft.net/blog/?p=13 


    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Friday, November 16, 2012 8:22 PM
  • Hi,

    Restricted group will remove all existing members in local admin group if you didn't specify them in the Members propertity. So be cautious when you configure it.

    If you can use GPP, you can also use Local Users and Groups policy to manage local group memberships.
    Local Users and Groups Extension
    http://technet.microsoft.com/en-us/library/cc731972.aspx

    Regards,
    Cicely

    Friday, November 23, 2012 8:41 AM
    Moderator

All replies

  • It must be doing by someone in your team

    Refer below link and check the event logs (auditing should be enabled) to drill down

    http://support.microsoft.com/kb/174074?wa=wsignin1.0

    You may also use eventcombt.exe to make your search easier

    http://www.microsoft.com/en-us/download/details.aspx?id=18465


    Hope it helps __________________________ Best regards Sarang Tinguria MCP, MCSA, MCTS Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    Thursday, November 15, 2012 9:30 PM
  • Our Team is small, there are 5 of us total and we are all trying to figure out what is going on with it. I have searched the logs without success thus far, but will continue to review them.

    Thanks for the input.

    Mike

    Friday, November 16, 2012 1:21 PM
  • Are you saying that you are using Restricted Groups within a GPO? Using restrictied groups will remove all curent members of the group and explictly add what's listed in the GPO.

    Enfo Zipper Christoffer Andersson – Principal Advisor

    Friday, November 16, 2012 2:22 PM
  • Yes that was set, i did remove the policy.
    Friday, November 16, 2012 7:47 PM
  • If restricted group policy is not configured correctly it will not only add required members to local Administratiors, but it will remove any members that were in local Admins previously.You need to select the bottom box under "This Group is a member of," so it won't wipe out current members on all machines.See below link for more details.

    If you turn off restricted groups,the groups will simply be left as they were set by the restricted groups settings. There won't be any rollback,you need to add the required users/groups again. 

    Using Restricted Groups
    http://www.windowsecurity.com/articles/Using-Restricted-Groups.html
    http://www.frickelsoft.net/blog/?p=13 


    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Friday, November 16, 2012 8:22 PM
  • Hi,

    Restricted group will remove all existing members in local admin group if you didn't specify them in the Members propertity. So be cautious when you configure it.

    If you can use GPP, you can also use Local Users and Groups policy to manage local group memberships.
    Local Users and Groups Extension
    http://technet.microsoft.com/en-us/library/cc731972.aspx

    Regards,
    Cicely

    Friday, November 23, 2012 8:41 AM
    Moderator