Bug 13730 - Adding domain group to local Administrators group doesn't do anything.
Summary: Adding domain group to local Administrators group doesn't do anything.
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Other (show other bugs)
Version: 4.7.10
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Andrew Bartlett
QA Contact: Samba QA Contact
Depends on:
Reported: 2018-12-24 04:24 UTC by Patrick Headley
Modified: 2021-08-03 05:07 UTC (History)
1 user (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Patrick Headley 2018-12-24 04:24:36 UTC
Following the instructions here:


I'm trying to add DOMAIN\Domain Users to the Administrators group on workstations that are joined to the domain. 

The Group Name for the Restricted Group is DOMAIN\Domain Users.

I've set this groujp as a member of Administrators.

Upon completion of the instructions and running gpupdate /force, nothing has changed. The domain groups in the local Administrators group remain but Domain Users hasn't been added. Even tried rebooting a workstation that should get the new group added to the local Administrators group.

I can add the domain group to each workstation manually.

What do I need to do to fix this issue?
Comment 1 Patrick Headley 2018-12-29 22:22:29 UTC
Please note that I couldn't find this bug because I was clicking on the My Requests link instead of My Bugs. Because of that error I submitted bug #13732 that contains the resolution.

Maybe the maintainers of Bugzilla can combine the two bug reports into one.
Comment 2 Patrick Headley 2018-12-29 22:34:30 UTC
My apologies. I confused this bug with a different one. I set the status back to REOPENED, as this issue is not yet resolved.
Comment 3 Rowland Penny 2021-08-02 18:21:21 UTC
Closing this as worksforme, not that I have tried adding Domain Users to Administrators, who really would want every domain user to be an administrator ?

I can add groups to Administrators and they work, users who are members of a group added become an administrator.
Comment 4 Patrick Headley 2021-08-02 22:42:42 UTC
I don't recall the exact reason why it was desirable to have the Domain Users group be part of the local administrators on the workstations. I believe a client of mine wanted it that way. I know my domain is not configured that way.

Thanks for looking into the situation.
Comment 5 Andrew Bartlett 2021-08-03 05:07:53 UTC
Could the issue here be primary vs secondary groups?

We had strange issues with primary groups on MIT Kerberos based AD DC installs a while back that we never got to the bottom of.

Even if not administrators, it should be possible to add a primary group to a local alias.