Announcement

Collapse
No announcement yet.

Group policy to administer local accounts

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Group policy to administer local accounts

    I think we have a problem with a group policy setting that deletes all local accounts on a client PC.
    A piece of software creates a local user account which is needed to run. After a reboot the local user account is deleted

    Is there such a setting in group policy or am i braking up the wrong tree?

    Thanks Dave

  • #2
    Re: Group policy to administer local accounts

    Originally posted by ozydave View Post
    I think we have a problem with a group policy setting that deletes all local accounts on a client PC.
    A piece of software creates a local user account which is needed to run. After a reboot the local user account is deleted

    Is there such a setting in group policy or am i braking up the wrong tree?

    Thanks Dave
    I haven't seen that GPO setting as such (however there is a GPO to rename the administrator and guest account) but I can say there wouldn't be one to delete the local Administrator or Guest accounts since that can't be done (without 3rd party tools). So when you say all local accounts are deleted, I think what you mean to say is that local accounts other than Administrator and Guest are being deleted.

    Take a client PC which has been impacted and run GPRESULT.EXE to find out what GPOs are applying to it. Then run GPMC.MSC and examine the effective settings that are being applied in each of the GPOs.
    VCDX3 #34, VCDX4, VCDX5, VCAP4-DCA #14, VCAP4-DCD #35, VCAP5-DCD, VCPx4, vEXPERTx4, MCSEx3, MCSAx2, MCP, CCAx2, A+
    boche.net - VMware Virtualization Evangelist
    My advice has no warranties. Follow at your own risk.

    Comment


    • #3
      Re: Group policy to administer local accounts

      I have just tried another test.
      I moved a test machine into the in built ‘computers’ Organisational Unit in active directory (which can’t be affected by any group policy – I think).
      I then created a test user. The software on the test machine worked fine. After a reboot the test machine software continued to work fine. The local user that the software creates and the test user I created were still there after the reboot.
      I then moved the computer back into its original Organisational Unit in active directory – which is effected by a group policy. I rebooted the test machine and hay presto the user that the software creates and the test user I created were both gone
      So I think it must be something in group policies that removes local users from client PC’s
      I hope this makes sence
      I have run ‘gpresult’ but can’t see anything that may do this as I can’t compare it.

      Regards
      Dave Cox

      Comment


      • #4
        Re: Group policy to administer local accounts

        Can you post the GP results up so we can take a look?

        Michael
        Michael Armstrong
        www.m80arm.co.uk
        MCITP: EA, MCTS, MCSE 2003, MCSA 2003: Messaging, CCA, VCP 3.5, 4, 5, VCAP5-DCD, VCAP5-DCA, ITIL, MCP, PGP Certified Technician

        ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

        Comment


        • #5
          Re: Group policy to administer local accounts

          Hi
          Below are the results of the ‘gpresult’. The first result is when the computer is in the ‘TEST’ OU and the second is when I moved the computer into the inbuilt ‘computers’ OU in active directory. It is the first policy that removes the local users.
          The only thing I can pick up on is that the first policy was applied from ‘Quarrendon04’ (our domain controller)
          The second policy was applied from ‘Quarrendon01’ (our print server). Can’t understand how this can happen. I also did not think that policies could be applied to the inbuilt computer OU, just my lack of knowledge maybe.

          Thanks again
          Dave

          --------------------------------------------------------------------
          first result - inpolicy group
          Microsoft (R) Windows (R) XP Operating System Group Policy Result tool v2.0
          Copyright (C) Microsoft Corp. 1981-2001

          Created On 18/04/2007 at 10:34:04



          RSOP results for QUARRENDON\Quaradmin on ARSE : Logging Mode
          -------------------------------------------------------------

          OS Type: Microsoft Windows XP Professional
          OS Configuration: Member Workstation
          OS Version: 5.1.2600
          Domain Name: QUARRENDON
          Domain Type: Windows 2000
          Site Name: Default-First-Site-Name
          Roaming Profile:
          Local Profile: C:\Documents and Settings\Quaradmin
          Connected over a slow link?: No


          COMPUTER SETTINGS
          ------------------
          CN=arse,OU=Test,OU=Curriculum,OU=Layout,DC=quarren don,DC=bucks,DC=sch,DC=uk
          Last time Group Policy was applied: 18/04/2007 at 08:52:06
          Group Policy was applied from: QUARRENDON04.quarrendon.bucks.sch.uk
          Group Policy slow link threshold: 500 kbps

          Applied Group Policy Objects
          -----------------------------
          Test
          Curriculum
          Layout
          Default Domain Policy

          The following GPOs were not applied because they were filtered out
          -------------------------------------------------------------------
          Local Group Policy
          Filtering: Not Applied (Empty)

          The computer is a part of the following security groups:
          --------------------------------------------------------
          BUILTIN\Administrators
          Everyone
          Debugger Users
          SophosAdministrator
          SophosUser
          BUILTIN\Users
          NT AUTHORITY\NETWORK
          NT AUTHORITY\Authenticated Users
          ARSE$
          Domain Computers


          USER SETTINGS
          --------------
          CN=Quaradmin,CN=Users,DC=quarrendon,DC=bucks,DC=sc h,DC=uk
          Last time Group Policy was applied: 18/04/2007 at 08:52:30
          Group Policy was applied from: QUARRENDON04.quarrendon.bucks.sch.uk
          Group Policy slow link threshold: 500 kbps

          Applied Group Policy Objects
          -----------------------------
          Default Domain Policy

          The following GPOs were not applied because they were filtered out
          -------------------------------------------------------------------
          Local Group Policy
          Filtering: Not Applied (Empty)

          The user is a part of the following security groups:
          ----------------------------------------------------
          Domain Users
          Everyone
          Debugger Users
          SophosUser
          SophosAdministrator
          BUILTIN\Users
          BUILTIN\Administrators
          NT AUTHORITY\INTERACTIVE
          NT AUTHORITY\Authenticated Users
          LOCAL
          Group Policy Creator Owners
          Domain Admins
          Enterprise Admins
          Schema Admins
          SophosAdministrator
          EMLibrary Users
          Sophos Console Administrators
          Sophos DB Admins
          Sophos DB Users
          -------------------------------------------------------------------------
          Second Result - Out of policy

          Microsoft (R) Windows (R) XP Operating System Group Policy Result tool v2.0
          Copyright (C) Microsoft Corp. 1981-2001

          Created On 18/04/2007 at 10:42:17



          RSOP results for QUARRENDON\Quaradmin on ARSE : Logging Mode
          -------------------------------------------------------------

          OS Type: Microsoft Windows XP Professional
          OS Configuration: Member Workstation
          OS Version: 5.1.2600
          Domain Name: QUARRENDON
          Domain Type: Windows 2000
          Site Name: Default-First-Site-Name
          Roaming Profile:
          Local Profile: C:\Documents and Settings\Quaradmin
          Connected over a slow link?: No


          COMPUTER SETTINGS
          ------------------
          CN=arse,CN=Computers,DC=quarrendon,DC=bucks,DC=sch ,DC=uk
          Last time Group Policy was applied: 18/04/2007 at 10:38:47
          Group Policy was applied from: quarrendon01.quarrendon.bucks.sch.uk
          Group Policy slow link threshold: 500 kbps

          Applied Group Policy Objects
          -----------------------------
          Default Domain Policy

          The following GPOs were not applied because they were filtered out
          -------------------------------------------------------------------
          Local Group Policy
          Filtering: Not Applied (Empty)

          The computer is a part of the following security groups:
          --------------------------------------------------------
          BUILTIN\Administrators
          Everyone
          Debugger Users
          SophosAdministrator
          SophosUser
          BUILTIN\Users
          NT AUTHORITY\NETWORK
          NT AUTHORITY\Authenticated Users
          ARSE$
          Domain Computers


          USER SETTINGS
          --------------
          CN=Quaradmin,CN=Users,DC=quarrendon,DC=bucks,DC=sc h,DC=uk
          Last time Group Policy was applied: 18/04/2007 at 10:39:07
          Group Policy was applied from: quarrendon01.quarrendon.bucks.sch.uk
          Group Policy slow link threshold: 500 kbps

          Applied Group Policy Objects
          -----------------------------
          Default Domain Policy

          The following GPOs were not applied because they were filtered out
          -------------------------------------------------------------------
          Local Group Policy
          Filtering: Not Applied (Empty)

          The user is a part of the following security groups:
          ----------------------------------------------------
          Domain Users
          Everyone
          Debugger Users
          SophosUser
          SophosAdministrator
          BUILTIN\Users
          BUILTIN\Administrators
          NT AUTHORITY\INTERACTIVE
          NT AUTHORITY\Authenticated Users
          LOCAL
          Group Policy Creator Owners
          Domain Admins
          Enterprise Admins
          Schema Admins
          SophosAdministrator
          EMLibrary Users
          Sophos Console Administrators
          Sophos DB Admins
          Sophos DB Users

          Comment


          • #6
            Re: Group policy to administer local accounts

            Apparently Quarrendon01 is a domain controller in your site. Might want to check that out.

            GPOs that are applying when the accounts do not disappear:
            Default Domain Policy


            GPOs that are applying when the accounts disappear:
            Test
            Curriculum
            Layout
            Default Domain Policy


            This rules out Default Domain Policy.

            Focus on Test, Curriculum, and Layout. Examine the GPO settings in each one. Could one of those GPOs be calling a logon script that nukes unauthorized local accounts?
            VCDX3 #34, VCDX4, VCDX5, VCAP4-DCA #14, VCAP4-DCD #35, VCAP5-DCD, VCPx4, vEXPERTx4, MCSEx3, MCSAx2, MCP, CCAx2, A+
            boche.net - VMware Virtualization Evangelist
            My advice has no warranties. Follow at your own risk.

            Comment


            • #7
              Re: Group policy to administer local accounts

              I found it

              There was a start up script that was deleting any local user apart form the ‘guest’ and ‘Administrator’ accounts, which are disabled by group policy.

              Thanks for your thoughts and input.

              I just didn't think to look at the start up scripts

              Thanks again
              Dave

              Comment


              • #8
                Re: Group policy to administer local accounts

                Just one point:

                "Users" and "Computers" are NOT OU'S. They are CONTAINERS. This is a fundamentally different concept and should remain distinct from OUs in your head.


                Tom
                For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

                Anything you say will be misquoted and used against you

                Comment

                Working...
                X