Share via

What could possibly be adding a domain security group to local admin on my Windows 10 and 11 endpoints?

Anonymous
2024-12-16T14:41:35+00:00

I work for an MSP as an embedded technician at a municipality. Recently we began to use AutoElevate to manage administrative privileges and as a result I'm removing all local admin rights from individual users that may have previously had them. This has led me to a discovery that security groups are being added seemingly by User OU to individual machines. I'm looking to find out how this is happening but can't figure it out.

Places I've checked:

GPO. I have a group policy that activates the"Adminstrator" account on local machines and another that sets the password of said account, and one that removes individual domain users from group policy but nothing else.

File Shares: The security groups in question are broken up by department. Only the security group for machines in the department that has access to them are showing up in local admin. I have conditional access enumeration to our "Departments" share (i.e. only the PD can see the PD folder and what determines that is the PD security group that is now showing up in local admins on PD specific machines.)

What else could possibly be pushing this?

***Move from Windows / Windows 11 / Security and privacy***

Windows for business | Windows Client for IT Pros | Directory services | Deploy group policy objects

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question.

0 comments
Accepted answer
  1. Anonymous
    2024-12-17T08:30:32+00:00

    Hello Trevor Patton,

    Thank you for posting in Microsoft Community forum.

    Based on the description "This has led me to a discovery that security groups are being added seemingly by User OU to individual machines", do you mean maybe there is GPO setting caused domain groups to be added to local administrators?

    If so, you can sign in one domain machine and check the group policy result.

    For checking Computer Configuration within gpresult, you can follow steps below.

    Logon this machine using administrator account.

    Open CMD (run as Administrator).

    Type gpresult /h C:\gpo.html and click Enter.

    Open gpo.html and check gpo setting under "Computer Details".

    For checking User Configurations within gpresult, you can follow steps below.

    Logon the machine using normal domain user account (that applies this gpo).

    Create a folder named F1 in C drive.

    Open CMD (do not run as Administrator).

    Type gpresult /h C:\F1\gpo.html and click Enter.

    Open gpo.html and check if there are these gpo settings under "User Details".

    Please check restrict group.

     Description of group policy restricted groups - Windows Server | Microsoft Learn

    And check local groups and users.

    I hope the information above is helpful.

    If you have any question or concern, please feel free to let us know.

    Best Regards,

    Daisy Zhou

    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest