We use AD in a server 2008 R2 environment. We have at least 5 users that are losing their local admin rights after a reboot or shutdown. I can't see anything for sure that they all have in common. Are there any apps that are known to cause wacky symptoms like this? Please advise, readding all of these users every time this happens is getting painful. Thank you

Hiya, Sounds like a GPO that removes them?

No gpo is doing this. I have verified it on one of the systems itself by using gpresult. There is nothing that is triggering this via gpo that it shows. It is only 6 out of nearly a thousand machines on campus. There are at least 500 users throughout the campus that have local rights and only 6 users are affected. Odd, and there seems to be no rhyme or reason for it. Any assistance and additional places to look are welcom.

It is only 6 out of nearly a thousand machines on campus. Can you please disjoin and rejoin those 6 affected machines to the domain and see if issue persists ? ThanksRegards, Santosh I do not represent the organisation I work for, all the opinions expressed here are my own. This posting is provided "AS IS" with no warranties or guarantees and confers no rights. Whenever you see a helpful reply, click on Vote As Helpful & click on Mark As Answer if a post answers your question.

I have done it with one, and even replaced the machine and had him sign into both. It followed the user... not sure what is going on.

Do you have logon or logoff script/s running ? If yes, can you please remove them and check what happens ? Thanks Regards, Santosh I do not represent the organisation I work for, all the opinions expressed here are my own. This posting is provided "AS IS" with no warranties or guarantees and confers no rights. Whenever you see a helpful reply, click on Vote As Helpful & click on Mark As Answer if a post answers your question.

I will have to wait for the administrators of AD at our location to return tomorrow at the earliest to have this done. Likely they will not do it as it would affect all of the OU which is nearly everyone.

If it was a restricted groups GPO removing the users from the local admin group, why would that happen once on several reboots and not every time the policy is applied? Shouldn't the GPO be applied each time user logs in?

If it was a restricted groups GPO removing the users from the local admin group, why would that happen once on several reboots and not every time the policy is applied? Shouldn't the GPO be applied each time user logs in?

I agree with ludrap. Check those PC's for malware infections. It's possible that malware is consuming lots of bandwidth and kicking in slow link detection and so the GPO's are being applied intermittently at startup. Also, can you move one of those users to anothe OU temporarily to see what heppens? Miguel Fra | Falcon IT Services, Miami, FL www.falconitservices.com | www.falconits.com | Blog

We use AD in a server 2008 R2 environment. We have at least 5 users that are losing their local admin rights after a reboot or shutdown. I can't see anything for sure that they all have in common. Are there any apps that are known to cause wacky symptoms like this? Please advise, readding all of these users every time this happens is getting painful. It seems that you are using Restricted Groups group policy or a script which is the cause of that: http://www.windowsecurity.com/articles/using-restricted-groups.html In fact, the behavior for restricted groups if you are using members field is that it removes the current members of the group and replace them with the ones set in the group policy. This explains this behavior you have each time your group policies settings are getting applied. To troubleshoot the appliance of group policies, you can use rsop.msc or gpresult on the client computers or Group Policy Modeling / Results on your DCs. This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

One such system was replaced with a brand new imaged machine that had nothing on it prior. The user was given rights, and after installing back some his software it bombed out and removed his software. Another user never had the problem at all when he was on win xp and now does with win7 on another machine(totally different hardware) and in a totally different sub OU. This last user has been calling up more frequently as he reboots or shuts down his system each night. In his case he notices the change happening after he is on vacation for at least a day, likely meaning the system is off for 24 or more hours. I am unsure if that is relevant or not. I doubt that malware is playing a part in this one. I can check, but a brand new out of the box, imaged machine wouldn't get infected that quickly. I can move a machine out of the OU, but again, why are there only 5-6 users with this issue instead of all 500+ that are all in the same OU?