question

DaveKenney-0526 avatar image
0 Votes"
DaveKenney-0526 asked gduval-1412 published

When attempting to add new machine to Domain, local admin accounts removed

I am adding new laptops into an existing domain and recently (within last 6 weeks or so) every time I try to add a new laptop to the local domain the local account I created at startup gets changed to a standard account as do all the others I've tried. When I join to the domain with a legit account and give them Administrator rights, it creates the account but without Admin level rights. I've checked the local GP Policies and they are all set to default. This just started happening so not sure if it's update related or not. As long as I don't join the PC to the domain, any local account I create keeps the Admin level privileges, As soon as it joins domain, it changes. I've looked at the policies on the server and can't find anything that stands out that would cause this. Since I've been able to do this routinely until about 4-5 weeks ago, I think it's an update issue. I can't find anything on the Microsoft site that offers anysort of hint. This is now effecting machines that have been on the network in that the Admin level gets wiped on their machines. Even the domain Admin account show up as a Standard account. :( I've tried build 1909, 2004 and 20H2 and they are all exhibiting the same behavior.

Anyone have any ideas (or better yet - experienced this already and know a fix) ??? Been working this for days and it's getting frustrating as I have users that can't even do a driver update because of this issue.

windows-10-network
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DSPatrick avatar image
0 Votes"
DSPatrick answered DaveKenney-0526 commented

Sounds like something's amiss with some policy.
Domain Admins are, by default, members of the local Administrators groups on all member servers and workstations in their respective domains.
https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-f--securing-domain-admins-groups-in-active-directory#:~:text=If%20Domain%20Admins%20have%20been,by%2Dstep%20instructions%20that%20follow.

as to the users this sounds correct. The local account and domain account are completely different entities. If you want them to be local admins then follow along here.
http://woshub.com/add-domain-users-local-admin-group-gpo/



--please don't forget to Accept as answer if the reply is helpful--






· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I looked through this and still haven't been able to identify the policy that's messing with my client setup. I can't get to the woshub.com link as it's blocked from my location. What's odd (and the root of the issue) is our Domain Admin account always had rights to link to our Work AD and create a local account with appropriate Admin level privs. Now it doesn't. I can link to our AD with it, but it creates locally as a standard user. This is why I'm leaning towards what I believe you're suggesting here as a policy setting somewhere on the domain. So far, I've not found anything out of the ordinary.

0 Votes 0 ·
DaveKenney-0526 avatar image
0 Votes"
DaveKenney-0526 answered DSPatrick commented

Thanks for the quick reply. I will have to check on this after the server finishes it's updates. I concur with the policy being the potential culprit, just can't find it. Kind of strange that this would manifest itself on it's own. I've not had any issue with adding a user into the domain and then giving them local rights (for such things as installing drivers, etc.) Also odd that the Domain Admin, which as you stated is local admin by default, now all of a sudden, isn't. I can't get to the 2nd link you posted right now as the firewall here has it blocked. I will look at it later and hit this fresh in the morning. Will let you know ...

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Sounds good.


0 Votes 0 ·
FanFan-MSFT avatar image
0 Votes"
FanFan-MSFT answered DaveKenney-0526 commented

Hi,

Is there restricted group policy deployed on from the domain?
We can run cmd as administrator on the clients and run command:gpresult /h c:\report.html
Expend the computer and check under: Computer Configuration” > “Policies” > “Windows Settings” > “Security Settings”> Restricted Group
95370-5111.jpg

Best Regards,


5111.jpg (85.9 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thank you for the reply.. I just checked the Security Settings folder list and there is no "Restricted Groups" folder in the list. So I have to presume that no restricted groups were set from the DC.

0 Votes 0 ·
DaveKenney-0526 avatar image
0 Votes"
DaveKenney-0526 answered DSPatrick commented

Finally got this one solved. Turned out to be, in fact, a Domain Controller policy that someone (no one's admitting to it) went in about 4 weeks ago and changed some policy settings they likely shouldn't have. Since this particular policy was a vestige from something we don't use anymore, we were able to deactivate it and the issue with the local access has been resolved. Thanks again for the help and the pointer in the right direction.

:)

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Great news, glad to hear it's sorted out.




0 Votes 0 ·
gduval-1412 avatar image
0 Votes"
gduval-1412 answered gduval-1412 published

I'm experiencing something similar with only specific Intel EVO laptops. I suspect one of our Group policies is at fault as well. What specific policy setting(s) were at fault in your case?

Thanks!

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.