I have an issue where I will join a pc to the domain and domain user will be added to the local admin group. I would like to stop this from happening. All my DC are runing Windows 2008r2. My office pc's and laptops are windows 7 w/sp1. I have check all my GPOs and can't find where this is comming from. Any help would be greatly appreciated Thank you -Joe

If the group "Domain Users" is added to the local Administrators group when the computer is joined to the domain, there must be a Restricted Groups policy being applied. See these links: http://technet.microsoft.com/en-us/library/cc785631(v=WS.10).aspx http://technet.microsoft.com/en-us/library/cc756802(v=WS.10).aspx Note the location of the policy: GPO_name\Computer Configuration\Windows Settings\Security Settings\Restricted Groups\ Richard Mueller - MVP Directory Services

If the group "Domain Users" is added to the local Administrators group when the computer is joined to the domain, there must be a Restricted Groups policy being applied. See these links: http://technet.microsoft.com/en-us/library/cc785631(v=WS.10).aspx http://technet.microsoft.com/en-us/library/cc756802(v=WS.10).aspx Note the location of the policy: GPO_name\Computer Configuration\Windows Settings\Security Settings\Restricted Groups\ Richard Mueller - MVP Directory Services

Hi Joe, In addition to the restricted groups policy above, it could also be from group policy preferences or a computer startup script, so you may want to check both those areas as well. Given preferences don't show up in rsop.msc, one way you can catch them - short of visually inspecting every policy object you have, is to use the "Group Policy Results" node in the GPMC to connect remotely to an affected workstation (or server) and create a GP results report. Cheers, Lain

Hi, In addition to the above troubleshooting information, I would like to confirm what domain user is added to your local administrator group? It is normal if the domain user is a domain administrator. Otherwise, please check Restricted Groups Group Policy and Local Users and Groups Group Policy Preference. Regards, Arthur Li TechNet Subscriber Support If you areTechNet Subscription user and have any feedback on our support quality, please send your feedbackhere.Arthur Li TechNet Community Support

Hi Thank you for getting back to me so fast. <o:p></o:p> I did check to see if it was some kind of startup script and it was not. I believe it to be a GPO issue. I don't know if you seen this or not but whats happening isoptions in my GPOs are disappearing. For example I created a GPO for the office printers in the "group policy object folder" named printer. So If I go into printer>edit>computer configuration>policies>Windows settings>Deploy printers. Deploy printers option will sometimes not be there (in the gui), but if I run a report it will show the are printer being shared. My dc's are replicating to each other with no problems and I only have one site with 4 dc's. All my dc's and pc are joined to the same domain. I have ran dcdiag to check the health of my domain and everything check out find. Do you know of any tools I can use to check the health of my GPO's? Is it possible to reset the GPO's back to default? I can easily re-create the 3 GPO's I am currently running now.<o:p></o:p> I did check the "Restricted Groups Group Policy" and domain user are not in there. Ive used "Restricted Groups Group Policy" to control who be added to the domain admin group. I have checked both Default Domain controllers policy and Default Domain policy to make sure domain user were not added to the admins group. Weird???? thank you for taking the time to give me advice. I will follow the troubleshooting steps.

Hello, plesae check the builtin security groups if domain users are added to the domain admins. This should also result in your access permissions.Best regards Meinolf Weber MVP, MCP, MCTS Microsoft MVP - Directory Services My Blog: http://msmvps.com/blogs/mweber/ Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

Thank you for your response. I have indeed looked at the builtin groups. Domain User are not a part of the domain admins group or Domain admins.

Hi, Would you please try to perform the following steps on the client to test the issue. Delete All Group Policy Registry keys ======================== 1. Click Start, type regedit.exe (without quotation marks) into Start Search box and press Enter. 2. Locate the following key: [HKEY_LOCAL_MACHINE\Software\Policies\Microsoft] Right click on "Microsoft", click "Export"; please name the file as "RegBackup" (without quotation marks) and then save it to the C:\ drive as a backup. Note: In case we need to undo the modification, we can double click this RegBackup.reg file to restore the registry key. 3. Highlight Microsoft and click "Delete". 4. Please repeat the above steps for the following registry keys. [HKEY_CURRENT_USER\Software\Policies\Microsoft] [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects] [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies Note: if some keys do not exist, please ignore them. 3. Exit the Registry Editor. Whats the result? If it works, please collect the GPMC log and upload it to me here for our further research. Collect GPMC log ============== 1. On domain controller, click Start -> Run, type GPMC.MSC, it will load the GPMC console. If the GPMC snap-in is not installed. 2. Right click on "Group Policy Result" and choose wizard to generate a report for the problematic computer and user account (please place appropriately). (Choose computer and select the proper user in the wizard) 3. Right click the resulting group policy result and click the "Save Report" => save report and upload it to the link I provided. Regards, Arthur Li TechNet Subscriber Support If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here. Arthur Li TechNet Community Support

Hi, Would you please try to perform the following steps on the client to test the issue. Delete All Group Policy Registry keys ======================== 1. Click Start, type regedit.exe (without quotation marks) into Start Search box and press Enter. 2. Locate the following key: [HKEY_LOCAL_MACHINE\Software\Policies\Microsoft] Right click on "Microsoft", click "Export"; please name the file as "RegBackup" (without quotation marks) and then save it to the C:\ drive as a backup. Note: In case we need to undo the modification, we can double click this RegBackup.reg file to restore the registry key. 3. Highlight Microsoft and click "Delete". 4. Please repeat the above steps for the following registry keys. [HKEY_CURRENT_USER\Software\Policies\Microsoft] [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects] [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies Note: if some keys do not exist, please ignore them. 3. Exit the Registry Editor. Whats the result? If it works, please collect the GPMC log and upload it to me here for our further research. Collect GPMC log ============== 1. On domain controller, click Start -> Run, type GPMC.MSC, it will load the GPMC console. If the GPMC snap-in is not installed. 2. Right click on "Group Policy Result" and choose wizard to generate a report for the problematic computer and user account (please place appropriately). (Choose computer and select the proper user in the wizard) 3. Right click the resulting group policy result and click the "Save Report" => save report and upload it to the link I provided. Regards, Arthur Li TechNet Subscriber Support If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here. Arthur Li TechNet Community Support

Hi, I would like to confirm what is the current situation? If there is anything that I can do for you, please do not hesitate to let me know, and I will be happy to help. Regards, Arthur Li TechNet Subscriber Support If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.Arthur Li TechNet Community Support

Hi How you create your users? Usually copying old user is "fastest" way to create new. By the book when install DC you create new user with domain admin rights. Most administrators is doing this by copying builtin administrator account. Maybe this is where your problem lies. With copying users is inherits group membership from "original" user.Best regards Dubravko Marak MCP Blog: Windows Server Administration Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.