When attempting to add new machine to Domain, local admin accounts removed

Question

I am adding new laptops into an existing domain and recently (within last 6 weeks or so) every time I try to add a new laptop to the local domain the local account I created at startup gets changed to a standard account as do all the others I've tried. When I join to the domain with a legit account and give them Administrator rights, it creates the account but without Admin level rights. I've checked the local GP Policies and they are all set to default. This just started happening so not sure if it's update related or not. As long as I don't join the PC to the domain, any local account I create keeps the Admin level privileges, As soon as it joins domain, it changes. I've looked at the policies on the server and can't find anything that stands out that would cause this. Since I've been able to do this routinely until about 4-5 weeks ago, I think it's an update issue. I can't find anything on the Microsoft site that offers anysort of hint. This is now effecting machines that have been on the network in that the Admin level gets wiped on their machines. Even the domain Admin account show up as a Standard account. :( I've tried build 1909, 2004 and 20H2 and they are all exhibiting the same behavior.

Anyone have any ideas (or better yet - experienced this already and know a fix) ??? Been working this for days and it's getting frustrating as I have users that can't even do a driver update because of this issue.

Answer 1

Sounds like something's amiss with some policy.
Domain Admins are, by default, members of the local Administrators groups on all member servers and workstations in their respective domains.
https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/appendix-f--securing-domain-admins-groups-in-active-directory#:~:text=If%20Domain%20Admins%20have%20been,by%2Dstep%20instructions%20that%20follow.

as to the users this sounds correct. The local account and domain account are completely different entities. If you want them to be local admins then follow along here.
http://woshub.com/add-domain-users-local-admin-group-gpo/

--please don't forget to Accept as answer if the reply is helpful--

Answer 2

Thanks for the quick reply. I will have to check on this after the server finishes it's updates. I concur with the policy being the potential culprit, just can't find it. Kind of strange that this would manifest itself on it's own. I've not had any issue with adding a user into the domain and then giving them local rights (for such things as installing drivers, etc.) Also odd that the Domain Admin, which as you stated is local admin by default, now all of a sudden, isn't. I can't get to the 2nd link you posted right now as the firewall here has it blocked. I will look at it later and hit this fresh in the morning. Will let you know ...

Answer 3

Hi,

Is there restricted group policy deployed on from the domain?
We can run cmd as administrator on the clients and run command:gpresult /h c:\report.html
Expend the computer and check under: Computer Configuration” > “Policies” > “Windows Settings” > “Security Settings”> Restricted Group

Best Regards,

Answer 4

Finally got this one solved. Turned out to be, in fact, a Domain Controller policy that someone (no one's admitting to it) went in about 4 weeks ago and changed some policy settings they likely shouldn't have. Since this particular policy was a vestige from something we don't use anymore, we were able to deactivate it and the issue with the local access has been resolved. Thanks again for the help and the pointer in the right direction.

:)

Answer 5

I'm experiencing something similar with only specific Intel EVO laptops. I suspect one of our Group policies is at fault as well. What specific policy setting(s) were at fault in your case?

Thanks!