This may seem strange, but I am having a very strange problem.
I just inherited an AD 2003 with a single DC. 90% of the client stations are Windows 7.
The problem I have is that the Domain Users Security Group is being added to the Local Administrator Group on client stations.
I have performed RSOP analysis from client stations. Run Group Policy Results Wizard from the DC, on both the client station and user account, and reviewed all existing GPO's (applied or not) in the entire forest and see no policy that would cause this.
We're not using any GPO's to configure Restricted Groups.
I've reviewed all startup and logon scrpts and found nothing.
I cannot find anything that explains why this is happening.
I've removed Domain Users from the Local Admin group manually and restarted the computer, and upon login it is back. This is not with an elevated privilege account. I have been using a test
account that has no memberships, not is a part of any OU besides Users.
If needed I can try to provide a link to the RSOP. And below is an event viewer log showing that Domain Users is being added to the Local Admin group. From what I can tell, this is being done by the host machine itself? (Client station name is T430-0007)
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 2/25/2014 11:29:18 AM
Event ID: 4732
Task Category: Security Group Management
Level: Information
Keywords: Audit Success
User: N/A
Computer: T430-0007.mydomaint.local
Description:A member was added to a security-enabled local group.
Subject:
Security ID:SYSTEM
Account Name: T430-0007$
Account Domain: MYDOMAIN
Logon ID: 0x3e7
Member:
Security ID: MYDOMAIN\Domain Users
Account Name: -
Group:
Security ID: BUILTIN\Administrators
Group Name: Administrators
Group Domain: Builtin
Additional Information:
Privileges:-
Event Xml:
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4732</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13826</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2014-02-25T17:29:18.219256000Z" />
<EventRecordID>1127091</EventRecordID>
<Correlation />
<Execution ProcessID="840" ThreadID="944" />
<Channel>Security</Channel>
<Computer>T430-0007.mydomaint.local</Computer>
<Security />
</System>
<EventData>
<Data Name="MemberName">-</Data>
<Data Name="MemberSid">S-1-5-21-1635982567-534386104-751052348-513</Data>
<Data Name="TargetUserName">Administrators</Data>
<Data Name="TargetDomainName">Builtin</Data>
<Data Name="TargetSid">S-1-5-32-544</Data>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">T430-0007$</Data>
<Data Name="SubjectDomainName">MYDOMAIN</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
<Data Name="PrivilegeList">-</Data>
</EventData>
</Event>
Any advise would be appreciated.
Thanks!