AD Group added to Local Admins not working on domain-joined PC - adding a user directly to local admins does?

windows permissions active-directory group-policy

Solution 1:

To long for a comment; but To make a simple test; Make like in the start; please add the LocalAdmin groups to your Local Admin group and remove the direct Bob entry

Login as Bob on Harry computer. Issue a whoami /groups /fo list, let us know the output. You should see BUIlTIN/Administrator, if not then;

Your bug remind me of nested group limitation/bug, as from memory with GPO, aka Restricted Group policy you can bypass that restriction. I suspect your domain level dont help us there.

Not much documentation still exist, but see there;

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc776499(v=ws.10)?redirectedfrom=MSDN

or there;

https://www.cbfive.com/no-local-group-nestingeven-if-it-looks-like-there-is/

Related

Jenkins Github Branch Source Plugin Failing with Github Token after today's Github auth changes
After hard drive updated to SSD and memory upgrade Windows freezes and throw BSoD en less than 30 minutes, it works fine under Linux
Generated systemd unit does not start on boot
How to use start command in bash on Windows
CPU being used up by some background process
How to disable the mouse wheel scrolling in mpv?
How to Calculate Next N-Year-versarry in Excel
How to disable the popup of Google translate in chrome while it still translates
How do I disown/detach a process from the Git Bash terminal that come with Git's Windows installer?
How to reset the Windows 10 administrator password for a VM in Hyper-V? [duplicate]
Power Pivot DAX dynamic Percent of Column
Downgrade hardware compatibility