SOLVED: User Accounts Being Deleted / Added From Groups Automatically

Published by Ian Matthews on

Today we had a very cool problem with a client who was trying to add a service account to a Windows Active Directory Group. the problem was that after the service account was added to the group, it would magically be removed from the group within a few minutes. This magic was driving our client crazy.

What could be removing users from Active Directory groups? …And the answer is Group Policy.

While we have never used Group Policy to set a list of users to be in a group before, we did know that it existed. The question we had was why would anybody want to use Group Policy to add or remove users from groups? And that answer turns out to be security.

If you set group members using Group Policy, instead of the usual Active Directory Users and Computers, you can effectively block low level admins from adding and removing users from high risk security groups like domain admin or enterprise admin.

How To Add / Remove Users From Groups Using Group Policy

CLICK TO EXPAND GRAPHIC

how to set active directory group membership with group policy gpo restricted groups
  1. Launch Group Policy Management Editor
  2. Right click on the GPO you want to modify, OR create a new GPO from scratch
  3. Expand Computer Configuration > Policies > Windows Settings > Security Settings > Restricted Groups
  4. Right click on the white space, in the right pane, and select ADD GROUP
  5. Click the BROWSE button and find the group you want to modify
  6. Click the ADD button
  7. Click the BROWSE button and add the users/groups you want to be part of the group

NOTE 1: This will clobber any existing entries in the Active Directory group and any changes to that group made using ADUC will be quickly overwritten (undone) by the GPO.

NOTE 2: The group will not change until the next time GPO is sync’d so you can either wait or run a simple GPUPDATE /FORCE in an elevated command window

NOTE 3: After the group has been updated in AD, it will not take effect for those users until after they log off / on. Windows only enumerates a users groups at logon.

NOTE 4: If the GPO is removed, the last set of users in the group in question will remain in that group.

Categories: Windows Server

0 Comments

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *

Related Posts

An error occurred while using SSL configuration for endpoint 0 0 0 0 443

SOLVED: An Error Occurred While Using SSL Configuration For Endpoint 0.0.0.0:443

One of our new clients had a server with error 7023 “An error occurred while using SSL configuration for endpoint 0.0.0.0:443”: A quick investigation showed, this error has been occurring for months (likely years, but Read more…

Force Microsoft Authenticator App to Popup Prompt For Code

SOLVED: Microsoft Authenticator Not Popping Up Approval Prompt

If you use the Microsoft Authenticator frequently it can be really annoying to have it not popup prompt you for the code when you’re trying to sign into something. Recently we added a new client Read more…

Azure-MABS-issufficient-disk-space-to-grow-shadow-copy-storage

SOLVED: How To Expand VSS Shadow Copy Space To Fix Azure Backup Insufficent Disk Space Shadow Copy Storage Errors

If you use Microsoft Azure Backup (aka MABs) you may see “You have used x% of maximum disk space on x allocated for shadow copy storage: Fortunately there is a very easy fix; expand the Read more…