Missing Group for local admin group

N

nsunny66

Hi there
This is driving me nuts. I am trying to figure out what is going on.
I have a windows 2000 Active Directory, I have a group on the AD called
SQL. I added the SQL group on to the local admin group on a couple of
workstations (the workstations are on the same domain). The addition of
the group is successful. The next day when i check the local admin
group on the workstations, it is missing.
Please Advice !!!!!
Thanks
 
P

Paul Adare

the microsoft.public.win2000.security news group, <nsunny66
@hotmail.com> says...
Hi there
This is driving me nuts. I am trying to figure out what is going on.
I have a windows 2000 Active Directory, I have a group on the AD called
SQL. I added the SQL group on to the local admin group on a couple of
workstations (the workstations are on the same domain). The addition of
the group is successful. The next day when i check the local admin
group on the workstations, it is missing.
Please Advice !!!!!
Click to expand...

Check domain Group Policy for a GPO that contains a Restricted Groups
setting.

--
Paul Adare
MVP - Windows - Virtual Machine
http://www.identit.ca/blogs/paul/
"The English language, complete with irony, satire, and sarcasm, has
survived for centuries without smileys. Only the new crop of modern
computer geeks finds it impossible to detect a joke that is not clearly
labeled as such."
Ray Shea
 
S

Sonny

I went under. Computer Cofiguration -> Windows Settings -> Security
Settings and on the Restricted Groups there was nothing in there.
 
P

Paul Adare

the microsoft.public.win2000.security news group, Sonny <nsunny66
@hotmail.com> says...
I went under. Computer Cofiguration -> Windows Settings -> Security
Settings and on the Restricted Groups there was nothing in there.
Click to expand...

You went "under" that how and where exactly?

--
Paul Adare
MVP - Windows - Virtual Machine
http://www.identit.ca/blogs/paul/
"The English language, complete with irony, satire, and sarcasm, has
survived for centuries without smileys. Only the new crop of modern
computer geeks finds it impossible to detect a joke that is not clearly
labeled as such."
Ray Shea
 
S

Sonny

Inorder to check if the SQL group was in the restricted group. I
checked the registricted group settings. Here is where i looked for the
restricted group, unless it resides some place else too.
GPO ->Computer Cofiguration -> Windows Settings -> Security Settings
Its wierd the SQL group just disappears the next day, even though it
adds it successfully later.
Thanks for your input.
 
S

Sonny

you have to manually go and add the SQL group again in the local admin
group again the next day.
 
P

Paul Adare

the microsoft.public.win2000.security news group, Sonny <nsunny66
@hotmail.com> says...
Inorder to check if the SQL group was in the restricted group. I
checked the registricted group settings. Here is where i looked for the
restricted group, unless it resides some place else too.
GPO ->Computer Cofiguration -> Windows Settings -> Security Settings
Its wierd the SQL group just disappears the next day, even though it
adds it successfully later.
Thanks for your input.
Click to expand...

What Group Policy Object are you looking at? Is there anything listed in
any GPO that includes Administrators in a Restricted Group setting?

--
Paul Adare
MVP - Windows - Virtual Machine
http://www.identit.ca/blogs/paul/
"The English language, complete with irony, satire, and sarcasm, has
survived for centuries without smileys. Only the new crop of modern
computer geeks finds it impossible to detect a joke that is not clearly
labeled as such."
Ray Shea
 
S

Sonny

What Group Policy Object are you looking at?
Looking at the group policy at the domain level. There are no group
policy for the OU.

any GPO that includes Administrators in a Restricted Group setting?
There are no groups in the restricted groups.
 
R

Roger Abell [MVP]

So, if you have examined all GPOs, and none have any Restricted
Group definitions, then I have to ask about the history of this install.
Did you inherit this domain that was built by another ?
Are there any scheduled tasks on the machines where the SQL
group is disappearing ?
 
P

Paul Adare

microsoft.public.win2000.security news group, Roger Abell [MVP]
So, if you have examined all GPOs, and none have any Restricted
Group definitions, then I have to ask about the history of this install.
Did you inherit this domain that was built by another ?
Are there any scheduled tasks on the machines where the SQL
group is disappearing ?
Click to expand...

Also any other users with admin rights on this box that could be
removing the group?

--
Paul Adare
MVP - Windows - Virtual Machine
http://www.identit.ca/blogs/paul/
"The English language, complete with irony, satire, and sarcasm, has
survived for centuries without smileys. Only the new crop of modern
computer geeks finds it impossible to detect a joke that is not clearly
labeled as such."
Ray Shea
 
S

Sonny

Alright here is something interesting I found. I added two groups (one
SQL and one testgroup) on 5 different machines on the domain. And both
the groups were missing this morning. At first I thought that the
problem was restricted to the SQL group, but now it seems like any
other group that I add disappears.
Also the SQL group has been there for a long time. It was a member of
SQL-A group. I took SQL group off the SQL-A group and thats when this
problem started to arise. I recreated the SQL group but that did not
help. However this does not explain why I cannot add other groups
(testgroup) as a local admin on other domain machines.
To answer yours question. I did inherit this domain and was built by
someone else. There are no schedule tasks running the machines. I think
the problem is domain related. Kindly advise.
Thanks
 
R

Roger Abell [MVP]

It very much sounds like a Restricted Group definition is being applied.
Try getting the GPMC (group policy management console) installed on
a XP Pro used to managed the domain. It will give you a better view of
GPOs that apply to the machines. You will not be able to use some of
the features with your W2k setup, but what does work will possibly help
you visualize what is potentially bearing down on the machines.
 
S

Sonny

Roger
Could you let me know how do I verify that the Restricted group
definitions are being applied or not.
Thanks for your prompt reply.
 
S

Sonny

I installed the GPMC on my xp machine. From there I went to Computer
Configuration - > Windows Settings -> Local Policies -> Restricted
groups. When I highlighted Restricted groups, there was nothing in it.
I guess that means that there are no groups in the restricted groups.
Should I be adding SQL group here. Or how does it work.
Thanks
 
R

Roger Abell [MVP]

What you want to do with the GPMC is model what would happen
for one of the machines where the membership disappears.
This is toward the bottom in GPMC where you can look at the
actual resultant set of policy (which will not work for your Windows
2000 machines) or you can do "what if" tests to see what would
be applied to a specific machine with or without specifying a user.
For your purpose, you only need to generate the machine part
and skip the user part. This will cause the system to look at all
currently defined GPOs and then show you what will have the
machine within its scope of management. You would then need
to look at each to see that there is no Restricted Group definition
being applied.
 
R

Roger Abell [MVP]

Again, if there is a Restricted Group definintion for the involved
groups then it is being applied (assuming your AD is healthy).
You need to check all possible places where this could be defined.
 
S

Steven L Umbach

I would suspect that Restricted Groups is being implemented as others have
said. Another thing to do is to impellent auditing of account management on
those workstations in local [or otherwise appropriate] security policy. Then
look in the security log for events that indicate a change in membership of
the administrators group which would indicate the user that did it and the
time. If the user is system then it is most likely done by Restricted Groups
or a startup script. Also try adding the group to the local administrators
group, and then run the command secedit/ refreshpolicy machine_policy
enforce on that workstation. Check the membership of the administrators
group again. If your group was removed then almost certainly it is Group
Policy Restricted Groups. You can use the support tool gpresult to see what
Group Policies are being applied to the "computer" and one of them would be
implementing Restricted Groups. The link below may be helpful as it explains
the use of Restricted Groups. --- Steve

http://www.windowsecurity.com/articles/Using-Restricted-Groups.html
 
S

Sonny

Thanks guys.
After installing the GPMC tool. I could see all the group policies on
the domain. After checking the policies, i found that there was a few
restricted groups. I added the SQL group on to it. And now am waiting
on untill monday (cause its weekend baby).
- Sonny
 
R

Roger Abell [MVP]

Sonny said:
Thanks guys.
After installing the GPMC tool. I could see all the group policies on
the domain. After checking the policies, i found that there was a few
restricted groups. I added the SQL group on to it. And now am waiting
on untill monday (cause its weekend baby).
- Sonny
Click to expand...

weekends off !??!! not bad !
 
R

Roger Abell [MVP]

Doh - good addition Steve.
I am not sure where the blinders came from that kept
machine startup/shutdown scripts from being mentioned !!

Thx,
Roger

Steven L Umbach said:
I would suspect that Restricted Groups is being implemented as others have
said. Another thing to do is to impellent auditing of account management on
those workstations in local [or otherwise appropriate] security policy.
Then look in the security log for events that indicate a change in
membership of the administrators group which would indicate the user that
did it and the time. If the user is system then it is most likely done by
Restricted Groups or a startup script. Also try adding the group to the
local administrators group, and then run the command secedit/ refreshpolicy
machine_policy enforce on that workstation. Check the membership of the
administrators group again. If your group was removed then almost certainly
it is Group Policy Restricted Groups. You can use the support tool gpresult
to see what Group Policies are being applied to the "computer" and one of
them would be implementing Restricted Groups. The link below may be helpful
as it explains the use of Restricted Groups. --- Steve

http://www.windowsecurity.com/articles/Using-Restricted-Groups.html

Hi there
This is driving me nuts. I am trying to figure out what is going on.
I have a windows 2000 Active Directory, I have a group on the AD called
SQL. I added the SQL group on to the local admin group on a couple of
workstations (the workstations are on the same domain). The addition of
the group is successful. The next day when i check the local admin
group on the workstations, it is missing.
Please Advice !!!!!
Thanks
Click to expand...
Click to expand...
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Local admin group? 4
Domain Admin vs Local Admin 7
local admin group change, how? 2
Group Policy Problem 1
Remotely changing admin group membership on clients 1
Error when I try to add domain users to local group 1
change local admin psw in AD 2
Group permissions 4

Top