I have a windows 7 image that I will deploy to a system. I leave the initial account as the local administrator available for any modifications that need to happen to the computer down the road. I also join the computer to a domain.
Now, when I restart the computer I find that the non-builtin local administrator is no longer in the local administrators group!
What could cause this? My first guess is group policy, as I will add the account back to the local administrator group, but then it is gone once again after reboot.
Answer
To confirm/deny group policy affects run rsop.msc or use GPResult on the client, and look to see what they show you about applied group policies.
Possibilities include "Restricted Groups":
This feature enables you - as the administrator - to configure group memberships on the client computers or member servers. You can add user accounts to groups on client machines that are in the scope of the policy
Or perhaps, the "Local Group" Group Policy Preferences:
The initial task of securing the local Administrators group is to ensure that the user no longer has membership in the group. This is easier said than done, since most companies have configured the user’s domain account to have membership in this group at installation of the user’s computer.
...As a perfect solution, you can use the Local Group – Group Policy Preference to accomplish the task within about 90 minutes of you implementing it.
No comments:
Post a Comment