Local Group Membership not Persistent

Archived from groups: microsoft.public.win2000.group_policy (More info?)

When I add Domain Users to a local group (say Power Users) the setting is not there after the workstation restarts. I have searched through the AD Policy settings on the w2k SBS and can't find anything which might be resetting this. The default AD Group Policy settings are all 'not configured'. There are no other Policies further down the AD tree. Two questions:
1. How can I permanently add Domain Users to a local group?
2. If I have an application which requires local permissions to run what is best practice for providing this?
Any help gratefully received!
Cheers,
Bill
6 answers Last reply
More about local group membership persistent
  1. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    On Sun, 18 Jul 2004 22:16:01 -0700, "Bill" <Bill@discussions.microsoft.com>
    wrote:

    >When I add Domain Users to a local group (say Power Users) the setting is not there after the workstation restarts. I have searched through the AD Policy settings on the w2k SBS and can't find anything which might be resetting this. The default AD Group Policy settings are all 'not configured'. There are no other Policies further down the AD tree. Two questions:
    >1. How can I permanently add Domain Users to a local group?
    >2. If I have an application which requires local permissions to run what is best practice for providing this?
    >Any help gratefully received!
    >Cheers,
    >Bill


    How are you adding them?

    On the local machine, try:

    net localgroup "Power Users" "DomainName\UserName" /add


    Jerold Schulman
    Windows: General MVP
    JSI, Inc.
    http://www.jsiinc.com
  2. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    Thanks for your response Jerold.
    Logged in as local Administrator, I added them using Computer Management, Local Users and Groups, Right-click on <group>, Add to Group, Add, then selecting domain user group or role, e.g. Domain Users or Authenticated Users.
    Cheers,
    Bill

    "Jerold Schulman" wrote:

    > On Sun, 18 Jul 2004 22:16:01 -0700, "Bill" <Bill@discussions.microsoft.com>
    > wrote:
    >
    > >When I add Domain Users to a local group (say Power Users) the setting is not there after the workstation restarts. I have searched through the AD Policy settings on the w2k SBS and can't find anything which might be resetting this. The default AD Group Policy settings are all 'not configured'. There are no other Policies further down the AD tree. Two questions:
    > >1. How can I permanently add Domain Users to a local group?
    > >2. If I have an application which requires local permissions to run what is best practice for providing this?
    > >Any help gratefully received!
    > >Cheers,
    > >Bill
    >
    >
    > How are you adding them?
    >
    > On the local machine, try:
    >
    > net localgroup "Power Users" "DomainName\UserName" /add
    >
    >
    > Jerold Schulman
    > Windows: General MVP
    > JSI, Inc.
    > http://www.jsiinc.com
    >
  3. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    It sounds like there might be a restricted group policy being applied to the
    workstation. That would correspond to the accounts being removed when you
    reboot the machine because the policy would be re-applied. I would suggest
    checking any GPO's that would apply to the machine for restricted group
    policies for the groups you are interested in.

    You can check which policies you are getting security settings from by
    running "gpresult /v" at a command prompt.

    The policy of interest would be in the following path:
    Computer Configuration\Windows Settings\Security Settings\Restricted Groups

    295771 SMS: A "Restricted Group" Policy May Prevent SMS Clients from Being
    http://support.microsoft.com/?id=295771

    320045 HOW TO: Restrict Group Membership By Using Group Policy in Windows
    2000
    http://support.microsoft.com/?id=320045


    --
    Gary Mudgett, MCSE, MCSA
    Windows 2000/2003 Directory Services

    =====================================================
    When responding to posts, please "Reply to Group" via
    your newsreader so that others may learn and benefit
    from your issue.
    =====================================================
    This posting is provided "AS IS" with no warranties, and confers no rights.

    "Bill" <Bill@discussions.microsoft.com> wrote in message
    news:DF4E6C23-AB4C-415D-9764-E1F0CCA34DF0@microsoft.com...
    > Thanks for your response Jerold.
    > Logged in as local Administrator, I added them using Computer Management,
    Local Users and Groups, Right-click on <group>, Add to Group, Add, then
    selecting domain user group or role, e.g. Domain Users or Authenticated
    Users.
    > Cheers,
    > Bill
    >
    > "Jerold Schulman" wrote:
    >
    > > On Sun, 18 Jul 2004 22:16:01 -0700, "Bill"
    <Bill@discussions.microsoft.com>
    > > wrote:
    > >
    > > >When I add Domain Users to a local group (say Power Users) the setting
    is not there after the workstation restarts. I have searched through the AD
    Policy settings on the w2k SBS and can't find anything which might be
    resetting this. The default AD Group Policy settings are all 'not
    configured'. There are no other Policies further down the AD tree. Two
    questions:
    > > >1. How can I permanently add Domain Users to a local group?
    > > >2. If I have an application which requires local permissions to run
    what is best practice for providing this?
    > > >Any help gratefully received!
    > > >Cheers,
    > > >Bill
    > >
    > >
    > > How are you adding them?
    > >
    > > On the local machine, try:
    > >
    > > net localgroup "Power Users" "DomainName\UserName" /add
    > >
    > >
    > > Jerold Schulman
    > > Windows: General MVP
    > > JSI, Inc.
    > > http://www.jsiinc.com
    > >
  4. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    Hi Jerold,
    I will try adding them as you have suggested and see what happens.
    Cheers,
    Bill
    --


    ---------------------------------------------------------------------
    "Are you still wasting your time with spam?...
    There is a solution!"

    Protected by GIANT Company's Spam Inspector
    The most powerful anti-spam software available.
    http://mail.spaminspector.com


    "Jerold Schulman" <Jerry@jsiinc.com> wrote in message
    news:3llnf01d548k98t4kjg25003iffge5lm8p@4ax.com...
    > On Sun, 18 Jul 2004 22:16:01 -0700, "Bill"
    <Bill@discussions.microsoft.com>
    > wrote:
    >
    > >When I add Domain Users to a local group (say Power Users) the setting is
    not there after the workstation restarts. I have searched through the AD
    Policy settings on the w2k SBS and can't find anything which might be
    resetting this. The default AD Group Policy settings are all 'not
    configured'. There are no other Policies further down the AD tree. Two
    questions:
    > >1. How can I permanently add Domain Users to a local group?
    > >2. If I have an application which requires local permissions to run what
    is best practice for providing this?
    > >Any help gratefully received!
    > >Cheers,
    > >Bill
    >
    >
    > How are you adding them?
    >
    > On the local machine, try:
    >
    > net localgroup "Power Users" "DomainName\UserName" /add
    >
    >
    > Jerold Schulman
    > Windows: General MVP
    > JSI, Inc.
    > http://www.jsiinc.com
  5. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    Thanks, Gary.
    I will have a look at gpresult and see what it tells me and read the
    references you have given me. I guess you can tell I am new to Group Policy?
    Cheers,
    Bill

    --


    ---------------------------------------------------------------------
    "Are you still wasting your time with spam?...
    There is a solution!"

    Protected by GIANT Company's Spam Inspector
    The most powerful anti-spam software available.
    http://mail.spaminspector.com


    "Gary Mudgett [MSFT]" <garymu@online.microsoft.com> wrote in message
    news:uo4J6OgbEHA.2816@TK2MSFTNGP11.phx.gbl...
    > It sounds like there might be a restricted group policy being applied to
    the
    > workstation. That would correspond to the accounts being removed when you
    > reboot the machine because the policy would be re-applied. I would
    suggest
    > checking any GPO's that would apply to the machine for restricted group
    > policies for the groups you are interested in.
    >
    > You can check which policies you are getting security settings from by
    > running "gpresult /v" at a command prompt.
    >
    > The policy of interest would be in the following path:
    > Computer Configuration\Windows Settings\Security Settings\Restricted
    Groups
    >
    > 295771 SMS: A "Restricted Group" Policy May Prevent SMS Clients from Being
    > http://support.microsoft.com/?id=295771
    >
    > 320045 HOW TO: Restrict Group Membership By Using Group Policy in Windows
    > 2000
    > http://support.microsoft.com/?id=320045
    >
    >
    > --
    > Gary Mudgett, MCSE, MCSA
    > Windows 2000/2003 Directory Services
    >
    > =====================================================
    > When responding to posts, please "Reply to Group" via
    > your newsreader so that others may learn and benefit
    > from your issue.
    > =====================================================
    > This posting is provided "AS IS" with no warranties, and confers no
    rights.
    >
    > "Bill" <Bill@discussions.microsoft.com> wrote in message
    > news:DF4E6C23-AB4C-415D-9764-E1F0CCA34DF0@microsoft.com...
    > > Thanks for your response Jerold.
    > > Logged in as local Administrator, I added them using Computer
    Management,
    > Local Users and Groups, Right-click on <group>, Add to Group, Add, then
    > selecting domain user group or role, e.g. Domain Users or Authenticated
    > Users.
    > > Cheers,
    > > Bill
    > >
    > > "Jerold Schulman" wrote:
    > >
    > > > On Sun, 18 Jul 2004 22:16:01 -0700, "Bill"
    > <Bill@discussions.microsoft.com>
    > > > wrote:
    > > >
    > > > >When I add Domain Users to a local group (say Power Users) the
    setting
    > is not there after the workstation restarts. I have searched through the
    AD
    > Policy settings on the w2k SBS and can't find anything which might be
    > resetting this. The default AD Group Policy settings are all 'not
    > configured'. There are no other Policies further down the AD tree. Two
    > questions:
    > > > >1. How can I permanently add Domain Users to a local group?
    > > > >2. If I have an application which requires local permissions to run
    > what is best practice for providing this?
    > > > >Any help gratefully received!
    > > > >Cheers,
    > > > >Bill
    > > >
    > > >
    > > > How are you adding them?
    > > >
    > > > On the local machine, try:
    > > >
    > > > net localgroup "Power Users" "DomainName\UserName" /add
    > > >
    > > >
    > > > Jerold Schulman
    > > > Windows: General MVP
    > > > JSI, Inc.
    > > > http://www.jsiinc.com
    > > >
    >
    >
  6. Archived from groups: microsoft.public.win2000.group_policy (More info?)

    That is fine. I hope the information helps!

    --
    Gary Mudgett, MCSE, MCSA
    Windows 2000/2003 Directory Services

    =====================================================
    When responding to posts, please "Reply to Group" via
    your newsreader so that others may learn and benefit
    from your issue.
    =====================================================
    This posting is provided "AS IS" with no warranties, and confers no rights.

    "Bill Glidden" <bglidden@bigpong.net> wrote in message
    news:u6ad96kbEHA.3524@TK2MSFTNGP12.phx.gbl...
    > Thanks, Gary.
    > I will have a look at gpresult and see what it tells me and read the
    > references you have given me. I guess you can tell I am new to Group
    Policy?
    > Cheers,
    > Bill
    >
    > --
    >
    >
    > ---------------------------------------------------------------------
    > "Are you still wasting your time with spam?...
    > There is a solution!"
    >
    > Protected by GIANT Company's Spam Inspector
    > The most powerful anti-spam software available.
    > http://mail.spaminspector.com
    >
    >
    > "Gary Mudgett [MSFT]" <garymu@online.microsoft.com> wrote in message
    > news:uo4J6OgbEHA.2816@TK2MSFTNGP11.phx.gbl...
    > > It sounds like there might be a restricted group policy being applied to
    > the
    > > workstation. That would correspond to the accounts being removed when
    you
    > > reboot the machine because the policy would be re-applied. I would
    > suggest
    > > checking any GPO's that would apply to the machine for restricted group
    > > policies for the groups you are interested in.
    > >
    > > You can check which policies you are getting security settings from by
    > > running "gpresult /v" at a command prompt.
    > >
    > > The policy of interest would be in the following path:
    > > Computer Configuration\Windows Settings\Security Settings\Restricted
    > Groups
    > >
    > > 295771 SMS: A "Restricted Group" Policy May Prevent SMS Clients from
    Being
    > > http://support.microsoft.com/?id=295771
    > >
    > > 320045 HOW TO: Restrict Group Membership By Using Group Policy in
    Windows
    > > 2000
    > > http://support.microsoft.com/?id=320045
    > >
    > >
    > > --
    > > Gary Mudgett, MCSE, MCSA
    > > Windows 2000/2003 Directory Services
    > >
    > > =====================================================
    > > When responding to posts, please "Reply to Group" via
    > > your newsreader so that others may learn and benefit
    > > from your issue.
    > > =====================================================
    > > This posting is provided "AS IS" with no warranties, and confers no
    > rights.
    > >
    > > "Bill" <Bill@discussions.microsoft.com> wrote in message
    > > news:DF4E6C23-AB4C-415D-9764-E1F0CCA34DF0@microsoft.com...
    > > > Thanks for your response Jerold.
    > > > Logged in as local Administrator, I added them using Computer
    > Management,
    > > Local Users and Groups, Right-click on <group>, Add to Group, Add, then
    > > selecting domain user group or role, e.g. Domain Users or Authenticated
    > > Users.
    > > > Cheers,
    > > > Bill
    > > >
    > > > "Jerold Schulman" wrote:
    > > >
    > > > > On Sun, 18 Jul 2004 22:16:01 -0700, "Bill"
    > > <Bill@discussions.microsoft.com>
    > > > > wrote:
    > > > >
    > > > > >When I add Domain Users to a local group (say Power Users) the
    > setting
    > > is not there after the workstation restarts. I have searched through
    the
    > AD
    > > Policy settings on the w2k SBS and can't find anything which might be
    > > resetting this. The default AD Group Policy settings are all 'not
    > > configured'. There are no other Policies further down the AD tree. Two
    > > questions:
    > > > > >1. How can I permanently add Domain Users to a local group?
    > > > > >2. If I have an application which requires local permissions to run
    > > what is best practice for providing this?
    > > > > >Any help gratefully received!
    > > > > >Cheers,
    > > > > >Bill
    > > > >
    > > > >
    > > > > How are you adding them?
    > > > >
    > > > > On the local machine, try:
    > > > >
    > > > > net localgroup "Power Users" "DomainName\UserName" /add
    > > > >
    > > > >
    > > > > Jerold Schulman
    > > > > Windows: General MVP
    > > > > JSI, Inc.
    > > > > http://www.jsiinc.com
    > > > >
    > >
    > >
    >
    >
Ask a new question

Read More

Policy Domain Windows