Random domain members are added to the local administrator group

Question

Every computer in the local administrator group (and remote desktop users group) contains a random selection of domain members. After deleting them they come back after a restart or forcing an gpupdate. This seems to indicate the problem lies within the GPO settings, but I cant find their anything which should do that. The fact that they are random members and different on every computer seems to me a local problem.

I used "Computer Configuration --> Preferences --> Control Panel settings --> Local users and groups" until recently but have removed that policy. Now I changed to "Computer Configuration --> Policies --> Windows Settings --> Security Settings --> Restricted Groups" I have there one group, with 3 users, which is a member of Administrators and Remote Desktop Users. This seems to work, as that group is added.

Now I only need to get rid off these random domain members. Does anybody know where else I can find some settings related to this. Using Google I only find information how to add members, not how to delete them.

Answer 1

Run a gpresult /z to see which policies are being applied to your machine and inspect those GP objects to find your culprit.

Answer 2

Run the GP results wizard from the GP Management Console. When it's done look at the settings tab. There is probably something Under Computer Configuration > Preferences > Control Panel > Local Users And Groups. You will see something like Group (Name: Administrators (built-in)). Under that it will list any members added or deleted.

If you still don't see anything, I would create a new OU. Then put your computer account and your user account in the new OU. Then in the Group Policy Management Console block inheritance. Remove all the users you don't want out of the administrators group. Then run a gpupdate /force from the command prompt. Reboot your machine for good measure.