Power User Setting Not Saved

[Guest]

I have a computer that is used for a certain automotive diagnostic program
and this program requires that the user be logged on as a Power User due to
licensing issues. To set this up, I logged on as Administrator and added
this user login name to the Power Users group under Computer Management and
Local Users and Groups. I then logged out as Administrator and logged in as
the local user and everything worked fine. However, Windows XP seems to
"forget" that this user is a member of the Power Users group, as I've had to
do the same procedure three times now. I'm assuming it happens after the
users restart the machine, but, regardless, is there some step I'm missing to
get this user to remain a Power User? Why is this setting not saved?
Thanks.

 

[Steven L Umbach]

If the computer is a member of an Active Directory domain their could be a
Group Policy Restricted Groups configuration that is enforcing group
membership. Running rsop.msc on that computer probably would show such if
that is the case. If not a member of an AD domain then it is hard to say
what is going on but I would enable auditing of account management in Local
Security Policy and then look for an account management event for change of
group membership to see what user changed the group membership. If the user
is system that would indicate that something on the computer is configured
to enforce group membership. --- Steve

 

[Guest]

The computer is a member of AD and so I ran rsop.msc. However, I'm very new
to Windows administration, so I have no idea what all these security settings
are telling me. What exactly should I be looking for? Under the "Restricted
Groups" folder in the Computer Configuration section, I have Administrators
and Power Users listed, and the local user name with the issue is a member of
the group listed under Power Users. Why is there no group called Power Users
under the Active Directory list of groups, but there is under local Computer
Management?

 

[Steven L Umbach]

There is no power users group in Active Directory - it is only available as
a local group on domain computers. However Group Policy Restricted Groups
can be used to manage membership of the power users group which seems to be
the case here. It sounds like Restricted Groups is not configured correctly
if the domain user in question is being removed from the power users group
or the domain user is not a member of the global group [don't use domain
local groups] specified in Restricted Groups. The link below may help in
explaining how to configure Restricted Groups. You would need to check the
configuration for Restricted Groups for the Group Policy that rsop.msc shows
as enforcing Restricted Groups. --- Steve

http://www.windowsecurity.com/articles/Using-Restricted-Groups.html

 

[Guest]

Thanks for the help and link. I've added the local user to the Power Users
group account under Restricted Groups on the Workstations policy for the
primary domain controller for the domain. Will this user be listed as a
Power User on the local machine itself now?

There is no power users group in Active Directory - it is only available as
a local group on domain computers. However Group Policy Restricted Groups
can be used to manage membership of the power users group which seems to be
the case here. It sounds like Restricted Groups is not configured correctly
if the domain user in question is being removed from the power users group
or the domain user is not a member of the global group [don't use domain
local groups] specified in Restricted Groups. The link below may help in
explaining how to configure Restricted Groups. You would need to check the
configuration for Restricted Groups for the Group Policy that rsop.msc shows
as enforcing Restricted Groups. --- Steve

http://www.windowsecurity.com/articles/Using-Restricted-Groups.html

The computer is a member of AD and so I ran rsop.msc. However, I'm very
new
to Windows administration, so I have no idea what all these security
settings
are telling me. What exactly should I be looking for? Under the
"Restricted
Groups" folder in the Computer Configuration section, I have
Administrators
and Power Users listed, and the local user name with the issue is a member
of
the group listed under Power Users. Why is there no group called Power
Users
under the Active Directory list of groups, but there is under local
Computer
Management?

 

[Steven L Umbach]

That won't work. It would have to be a domain user - not a local users.
There are two ways to do Restricted Groups - members of this group or this
group is a member of. If you use members of this group then the existing
membership of the Restricted Group [power users in your case] will be
removed and replaced with what is specified for members of this group. If
you use this group is a member of then the global group/uers you specify
will be added to the power users group and the existing members will not be
removed. If you do not want Restricted Groups to apply to that computer then
move it to an Organizational Unit that would not have that Group Policy
apply to it or filter the Group Policy by adding the computer account to the
deny apply permission for the Group Policy Object. --- Steve

Thanks for the help and link. I've added the local user to the Power
Users
group account under Restricted Groups on the Workstations policy for the
primary domain controller for the domain. Will this user be listed as a
Power User on the local machine itself now?

There is no power users group in Active Directory - it is only available
as
a local group on domain computers. However Group Policy Restricted Groups
can be used to manage membership of the power users group which seems to
be
the case here. It sounds like Restricted Groups is not configured
correctly
if the domain user in question is being removed from the power users
group
or the domain user is not a member of the global group [don't use domain
local groups] specified in Restricted Groups. The link below may help in
explaining how to configure Restricted Groups. You would need to check
the
configuration for Restricted Groups for the Group Policy that rsop.msc
shows
as enforcing Restricted Groups. --- Steve

http://www.windowsecurity.com/articles/Using-Restricted-Groups.html

The computer is a member of AD and so I ran rsop.msc. However, I'm
very
new
to Windows administration, so I have no idea what all these security
settings
are telling me. What exactly should I be looking for? Under the
"Restricted
Groups" folder in the Computer Configuration section, I have
Administrators
and Power Users listed, and the local user name with the issue is a
member
of
the group listed under Power Users. Why is there no group called Power
Users
under the Active Directory list of groups, but there is under local
Computer
Management?

:

If the computer is a member of an Active Directory domain their could
be
a
Group Policy Restricted Groups configuration that is enforcing group
membership. Running rsop.msc on that computer probably would show such
if
that is the case. If not a member of an AD domain then it is hard to
say
what is going on but I would enable auditing of account management in
Local
Security Policy and then look for an account management event for
change
of
group membership to see what user changed the group membership. If the
user
is system that would indicate that something on the computer is
configured
to enforce group membership. --- Steve



I have a computer that is used for a certain automotive diagnostic
program
and this program requires that the user be logged on as a Power User
due
to
licensing issues. To set this up, I logged on as Administrator and
added
this user login name to the Power Users group under Computer
Management
and
Local Users and Groups. I then logged out as Administrator and
logged
in
as
the local user and everything worked fine. However, Windows XP
seems
to
"forget" that this user is a member of the Power Users group, as
I've
had
to
do the same procedure three times now. I'm assuming it happens
after
the
users restart the machine, but, regardless, is there some step I'm
missing
to
get this user to remain a Power User? Why is this setting not
saved?
Thanks.

 

[Guest]

Sorry, when I say "local user" I mean the login name that is typically used
on the machine in question (and is also the name of the computer itself).
That user is a domain user and it is the name "domainname\username" that I am
adding to the Restricted Groups\Power Users. However, also in the Power
Users membership is the general OU "domain\domain users", so wouldn't any
user that is a member of that OU then be a Power User? Perhaps I'm just
interpreting the term restricted groups wrong...is this saying that these
groups have restrictions as to who can be a member? Isn't this the case for
any group? By the way, after adding this user to the Power Users group in
this section, it did show up as a Power User under the Local Users and Groups
section on the actual machine itself and I haven't had any problems with the
program since. However, this is not the right way?

That won't work. It would have to be a domain user - not a local users.
There are two ways to do Restricted Groups - members of this group or this
group is a member of. If you use members of this group then the existing
membership of the Restricted Group [power users in your case] will be
removed and replaced with what is specified for members of this group. If
you use this group is a member of then the global group/uers you specify
will be added to the power users group and the existing members will not be
removed. If you do not want Restricted Groups to apply to that computer then
move it to an Organizational Unit that would not have that Group Policy
apply to it or filter the Group Policy by adding the computer account to the
deny apply permission for the Group Policy Object. --- Steve

Thanks for the help and link. I've added the local user to the Power
Users
group account under Restricted Groups on the Workstations policy for the
primary domain controller for the domain. Will this user be listed as a
Power User on the local machine itself now?

There is no power users group in Active Directory - it is only available
as
a local group on domain computers. However Group Policy Restricted Groups
can be used to manage membership of the power users group which seems to
be
the case here. It sounds like Restricted Groups is not configured
correctly
if the domain user in question is being removed from the power users
group
or the domain user is not a member of the global group [don't use domain
local groups] specified in Restricted Groups. The link below may help in
explaining how to configure Restricted Groups. You would need to check
the
configuration for Restricted Groups for the Group Policy that rsop.msc
shows
as enforcing Restricted Groups. --- Steve

http://www.windowsecurity.com/articles/Using-Restricted-Groups.html

The computer is a member of AD and so I ran rsop.msc. However, I'm
very
new
to Windows administration, so I have no idea what all these security
settings
are telling me. What exactly should I be looking for? Under the
"Restricted
Groups" folder in the Computer Configuration section, I have
Administrators
and Power Users listed, and the local user name with the issue is a
member
of
the group listed under Power Users. Why is there no group called Power
Users
under the Active Directory list of groups, but there is under local
Computer
Management?

:

If the computer is a member of an Active Directory domain their could
be
a
Group Policy Restricted Groups configuration that is enforcing group
membership. Running rsop.msc on that computer probably would show such
if
that is the case. If not a member of an AD domain then it is hard to
say
what is going on but I would enable auditing of account management in
Local
Security Policy and then look for an account management event for
change
of
group membership to see what user changed the group membership. If the
user
is system that would indicate that something on the computer is
configured
to enforce group membership. --- Steve



I have a computer that is used for a certain automotive diagnostic
program
and this program requires that the user be logged on as a Power User
due
to
licensing issues. To set this up, I logged on as Administrator and
added
this user login name to the Power Users group under Computer
Management
and
Local Users and Groups. I then logged out as Administrator and
logged
in
as
the local user and everything worked fine. However, Windows XP
seems
to
"forget" that this user is a member of the Power Users group, as
I've
had
to
do the same procedure three times now. I'm assuming it happens
after
the
users restart the machine, but, regardless, is there some step I'm
missing
to
get this user to remain a Power User? Why is this setting not
saved?
Thanks.

 

[Steven L Umbach]

Restricted Groups can do a couple things. It can either make sure that
membership in the Restricted Group is enforced by what is specified in
members of this group and then that is all that you should see in the power
users group on affected computers or it can make sure that a user/group is
included in the Restricted Group via this group is a member of. If you
included domain users to be a member of the Restricted Group [power users in
your case] if done correctly you should see domain users group included in
power users along with the specific user you added. It sounds like you got
it working if the user did finally show up as a member. When configuring
Restricted Groups to speed up propagation of any changes first run gpupdate
/force on the domain controller and then on the computer you are trying to
see if Restricted Groups is working correctly on. Otherwise it can take up
to two hours for the Group Policy change to propagate to the client
computer. --- Steve

Sorry, when I say "local user" I mean the login name that is typically
used
on the machine in question (and is also the name of the computer itself).
That user is a domain user and it is the name "domainname\username" that I
am
adding to the Restricted Groups\Power Users. However, also in the Power
Users membership is the general OU "domain\domain users", so wouldn't any
user that is a member of that OU then be a Power User? Perhaps I'm just
interpreting the term restricted groups wrong...is this saying that these
groups have restrictions as to who can be a member? Isn't this the case
for
any group? By the way, after adding this user to the Power Users group in
this section, it did show up as a Power User under the Local Users and
Groups
section on the actual machine itself and I haven't had any problems with
the
program since. However, this is not the right way?

That won't work. It would have to be a domain user - not a local users.
There are two ways to do Restricted Groups - members of this group or
this
group is a member of. If you use members of this group then the existing
membership of the Restricted Group [power users in your case] will be
removed and replaced with what is specified for members of this group. If
you use this group is a member of then the global group/uers you specify
will be added to the power users group and the existing members will not
be
removed. If you do not want Restricted Groups to apply to that computer
then
move it to an Organizational Unit that would not have that Group Policy
apply to it or filter the Group Policy by adding the computer account to
the
deny apply permission for the Group Policy Object. --- Steve

Thanks for the help and link. I've added the local user to the Power
Users
group account under Restricted Groups on the Workstations policy for
the
primary domain controller for the domain. Will this user be listed as
a
Power User on the local machine itself now?

:

There is no power users group in Active Directory - it is only
available
as
a local group on domain computers. However Group Policy Restricted
Groups
can be used to manage membership of the power users group which seems
to
be
the case here. It sounds like Restricted Groups is not configured
correctly
if the domain user in question is being removed from the power users
group
or the domain user is not a member of the global group [don't use
domain
local groups] specified in Restricted Groups. The link below may help
in
explaining how to configure Restricted Groups. You would need to check
the
configuration for Restricted Groups for the Group Policy that rsop.msc
shows
as enforcing Restricted Groups. --- Steve

http://www.windowsecurity.com/articles/Using-Restricted-Groups.html

The computer is a member of AD and so I ran rsop.msc. However, I'm
very
new
to Windows administration, so I have no idea what all these security
settings
are telling me. What exactly should I be looking for? Under the
"Restricted
Groups" folder in the Computer Configuration section, I have
Administrators
and Power Users listed, and the local user name with the issue is a
member
of
the group listed under Power Users. Why is there no group called
Power
Users
under the Active Directory list of groups, but there is under local
Computer
Management?

:

If the computer is a member of an Active Directory domain their
could
be
a
Group Policy Restricted Groups configuration that is enforcing
group
membership. Running rsop.msc on that computer probably would show
such
if
that is the case. If not a member of an AD domain then it is hard
to
say
what is going on but I would enable auditing of account management
in
Local
Security Policy and then look for an account management event for
change
of
group membership to see what user changed the group membership. If
the
user
is system that would indicate that something on the computer is
configured
to enforce group membership. --- Steve



I have a computer that is used for a certain automotive diagnostic
program
and this program requires that the user be logged on as a Power
User
due
to
licensing issues. To set this up, I logged on as Administrator
and
added
this user login name to the Power Users group under Computer
Management
and
Local Users and Groups. I then logged out as Administrator and
logged
in
as
the local user and everything worked fine. However, Windows XP
seems
to
"forget" that this user is a member of the Power Users group, as
I've
had
to
do the same procedure three times now. I'm assuming it happens
after
the
users restart the machine, but, regardless, is there some step
I'm
missing
to
get this user to remain a Power User? Why is this setting not
saved?
Thanks.

 

[Guest]

I think I got it now. Thanks for all your help, Steve.

Restricted Groups can do a couple things. It can either make sure that
membership in the Restricted Group is enforced by what is specified in
members of this group and then that is all that you should see in the power
users group on affected computers or it can make sure that a user/group is
included in the Restricted Group via this group is a member of. If you
included domain users to be a member of the Restricted Group [power users in
your case] if done correctly you should see domain users group included in
power users along with the specific user you added. It sounds like you got
it working if the user did finally show up as a member. When configuring
Restricted Groups to speed up propagation of any changes first run gpupdate
/force on the domain controller and then on the computer you are trying to
see if Restricted Groups is working correctly on. Otherwise it can take up
to two hours for the Group Policy change to propagate to the client
computer. --- Steve

Sorry, when I say "local user" I mean the login name that is typically
used
on the machine in question (and is also the name of the computer itself).
That user is a domain user and it is the name "domainname\username" that I
am
adding to the Restricted Groups\Power Users. However, also in the Power
Users membership is the general OU "domain\domain users", so wouldn't any
user that is a member of that OU then be a Power User? Perhaps I'm just
interpreting the term restricted groups wrong...is this saying that these
groups have restrictions as to who can be a member? Isn't this the case
for
any group? By the way, after adding this user to the Power Users group in
this section, it did show up as a Power User under the Local Users and
Groups
section on the actual machine itself and I haven't had any problems with
the
program since. However, this is not the right way?

That won't work. It would have to be a domain user - not a local users.
There are two ways to do Restricted Groups - members of this group or
this
group is a member of. If you use members of this group then the existing
membership of the Restricted Group [power users in your case] will be
removed and replaced with what is specified for members of this group. If
you use this group is a member of then the global group/uers you specify
will be added to the power users group and the existing members will not
be
removed. If you do not want Restricted Groups to apply to that computer
then
move it to an Organizational Unit that would not have that Group Policy
apply to it or filter the Group Policy by adding the computer account to
the
deny apply permission for the Group Policy Object. --- Steve


Thanks for the help and link. I've added the local user to the Power
Users
group account under Restricted Groups on the Workstations policy for
the
primary domain controller for the domain. Will this user be listed as
a
Power User on the local machine itself now?

:

There is no power users group in Active Directory - it is only
available
as
a local group on domain computers. However Group Policy Restricted
Groups
can be used to manage membership of the power users group which seems
to
be
the case here. It sounds like Restricted Groups is not configured
correctly
if the domain user in question is being removed from the power users
group
or the domain user is not a member of the global group [don't use
domain
local groups] specified in Restricted Groups. The link below may help
in
explaining how to configure Restricted Groups. You would need to check
the
configuration for Restricted Groups for the Group Policy that rsop.msc
shows
as enforcing Restricted Groups. --- Steve

http://www.windowsecurity.com/articles/Using-Restricted-Groups.html

The computer is a member of AD and so I ran rsop.msc. However, I'm
very
new
to Windows administration, so I have no idea what all these security
settings
are telling me. What exactly should I be looking for? Under the
"Restricted
Groups" folder in the Computer Configuration section, I have
Administrators
and Power Users listed, and the local user name with the issue is a
member
of
the group listed under Power Users. Why is there no group called
Power
Users
under the Active Directory list of groups, but there is under local
Computer
Management?

:

If the computer is a member of an Active Directory domain their
could
be
a
Group Policy Restricted Groups configuration that is enforcing
group
membership. Running rsop.msc on that computer probably would show
such
if
that is the case. If not a member of an AD domain then it is hard
to
say
what is going on but I would enable auditing of account management
in
Local
Security Policy and then look for an account management event for
change
of
group membership to see what user changed the group membership. If
the
user
is system that would indicate that something on the computer is
configured
to enforce group membership. --- Steve



I have a computer that is used for a certain automotive diagnostic
program
and this program requires that the user be logged on as a Power
User
due
to
licensing issues. To set this up, I logged on as Administrator
and
added
this user login name to the Power Users group under Computer
Management
and
Local Users and Groups. I then logged out as Administrator and
logged
in
as
the local user and everything worked fine. However, Windows XP
seems
to
"forget" that this user is a member of the Power Users group, as
I've
had
to
do the same procedure three times now. I'm assuming it happens
after
the
users restart the machine, but, regardless, is there some step
I'm
missing
to
get this user to remain a Power User? Why is this setting not
saved?
Thanks.