Need Help! Domain Admin account question

MariusRZRMariusRZR MCP, MCSA Server 2012, Azure Administrator, VCP6-DCVRomaniaMember Posts: 92 ■■■□□□□□□□
Hello Guys,

I am in dire need of help with something.

I have the following scenario.

I am a member of the Domain Admins Group. The group membership of the Domain Admins group is managed via Default Domain Policy / Restricted groups.

Now the problem. My account gets removed from the Domain Admins group at random times. ( The Default Domain Policy is enforced)

It does not happen at policy refresh intervals...Sometimes it doesn't happen at all a day or two and sometimes it happens once or twice a day.

I have verified each GPO, nothing overwrites the Default Domain Policy( Enforced ).

This used to happen to a colleague of mine but it suddenly stopped. He didn't do anything to fix it.

This is beyond weird. Any ideas?

Thank you in advance.

LE : My account is not added back to the group when the policy refreshes on the Domain Controller


  • sthomassthomas Member Posts: 1,240 ■■■□□□□□□□
    Does this happen even if you add your user account to the domain admins group through AD users and computers?

    I would look into using Group Policy preferences for this instead. Also, I would recommend creating a separate policy instead of using the default domain policy.
    Working on: MCSA 2012 R2
  • joeswfcjoeswfc Member Posts: 118 ■■■□□□□□□□
    When you say domain admins group, do you mean local admins?

    I don't believe you can manage domain admins group in group policy (you would just us AD users and computers?)

    If it is local admins group, then it sounds like another GPO is in place on the OU where the affected computer/server is... Just because it is set to enforced, it doesn't mean nothing overrides it... Enforced basically means if an OU is set to block inheritance (which will stop GPO's above it ,such as domain GPO, from applying), it will still inherit this particular one. If there is a setting in the GPO assigned to the OU that overrides the default GPO, it will override it.

    First thing to check is which GPO's are applied to the affected OU, so find the OU within group policy management and click on the group policy inheritance tab. Look through all of the GPO's that are listed and see if there is anything in any of these affecting it.

    Hope this helps!
  • EnticlesEnticles Member Posts: 68 ■■■□□□□□□□
    I agree with Joeswfc.

    if you have privileges to do so i'd run a gpresult to see what exactly is happening with your user account, computer account, and the respective GPO(s) you are expecting to apply or not apply.

    It could just be a case of some OU restructuring or GPO Security Group Filtering affecting whether or not a GPO is applied to your account and/or system.
    Current Certifications: CompTIA A+, CompTIA Network+, Microsoft MCTS 70-640
    Currently pursuing: CompTIA Security+, Microsoft 70-410
    2018 Roadmap - MCSA: Windows Server 2012: 70-410 [ ], 70-411 [ ], 70-412 [ ]
  • MariusRZRMariusRZR MCP, MCSA Server 2012, Azure Administrator, VCP6-DCV RomaniaMember Posts: 92 ■■■□□□□□□□
    I am talking about the "Domain Admins" group, not local admins.
    You can manage that via Default Domain Policy. You create a restricted Groups policy that is applied to domain controllers and you set the group membership for "Domain Admins" via GPO. It also works for Enterprise and Schema Admins.

    The problem is that No other policy overwrites that one. Ran RSOP multiple times and analyzed each GPO. All should work well, but it doesn't. And it does not happen at regular intervals. Sometimes it works for a few days and sometimes it deletes the account from the group twice a day.
    This makes no sense whatsoever....icon_neutral.gif

    As for access, I have domain admin access to pretty much everything. I'm in charge of infrastructure.
    We are 4 sysadmins there and this problem is giving us nightmares. A colleague of mine was affected as well but it suddenly stopped...

    The only workaround I have found is to leave a RDP Session open on the DC. And when it removes my access, the session is open and I can just add myself back to the group.
  • MariusRZRMariusRZR MCP, MCSA Server 2012, Azure Administrator, VCP6-DCV RomaniaMember Posts: 92 ■■■□□□□□□□
    Okay, If i manually update the GPO on the Domain Controller, my account is back in the "Domain Admins" Group.
    Now I have another problem, besides what is removing me...why isn't the GPO being applied on the DC.
  • sthomassthomas Member Posts: 1,240 ■■■□□□□□□□
    In my opinion it doesn't make sense to use group policy to mange the domain admins group. Wouldn't it be easier to just manage the group via ADUC? It sounds like more work to do this with group policy.
    Working on: MCSA 2012 R2
  • MariusRZRMariusRZR MCP, MCSA Server 2012, Azure Administrator, VCP6-DCV RomaniaMember Posts: 92 ■■■□□□□□□□
    I know, told that to management many times. They just don't like changes in the production environment. I work for a bank...
    I dunno who set this up this way but it's a pain in the ass.
Sign In or Register to comment.