Today we had a very cool problem with a client who was trying to add a service account to a Windows Active Directory Group. the problem was that after the service account was added to the group, it would magically be removed from the group within a few minutes. This magic was driving our client crazy.
What could be removing users from Active Directory groups? …And the answer is Group Policy.
While we have never used Group Policy to set a list of users to be in a group before, we did know that it existed. The question we had was why would anybody want to use Group Policy to add or remove users from groups? And that answer turns out to be security.
If you set group members using Group Policy, instead of the usual Active Directory Users and Computers, you can effectively block low level admins from adding and removing users from high risk security groups like domain admin or enterprise admin.
CLICK TO EXPAND GRAPHIC
NOTE 1: This will clobber any existing entries in the Active Directory group and any changes to that group made using ADUC will be quickly overwritten (undone) by the GPO.
NOTE 2: The group will not change until the next time GPO is sync’d so you can either wait or run a simple GPUPDATE /FORCE in an elevated command window
NOTE 3: After the group has been updated in AD, it will not take effect for those users until after they log off / on. Windows only enumerates a users groups at logon.
NOTE 4: If the GPO is removed, the last set of users in the group in question will remain in that group.
This website uses cookies.
