Find Computers where Domain Users are Local Admin - Request to verify possible false-positive

[IllllIIIIIIII]

Hi all,
scenario (no loopback is configured, no block inheritance, no enforcement, no item-level targeting, no wmi-filter, no delegation to deny GPO apply):

OU = Country, has linked GPO1 which has Computer settings Restricted Groups to add Built-In Domain Users into computers local Builtin\Administrators group. *GPO Status: Computer configuration settings disabled

OU Country, has Sub OU City, to OU City the linked GPO2 has Computer settings Local Users and Groups, to add a manually created AD Group to computers local Built-In Administrators groups.

Result on computer: In local built-in administrators group the manually created ad group gets added.

Result on Bloodhound, for query "Find Computers where Domain Users are local Admins":
"Domain Users" has AdminTo "[Computer-FQDN]"

My guess is here, indeed calculation knows about restricted group takes precedence versus local users and groups settings (although it is linked to sub ou Edit01-Start:, if gpupdate /force Edit01-End), but what seems missing here is the fact that the computer settings are disabled under GPO Status.

Can may someone please verify described scenario or may someone can already state if the logic when GPO status is set on disabling the computer settings part, that this is covered during the calculation of the final result (in this context Restricted Groups versus Local Users and Groups behaviour?

In case you need more information from me, please let me know.

BR,
IllllIIIIIIII

[JonasBK]

Hi @IllllIIIIIIII,

I have confirmed the bug. We do not take the GPO status into account. At least not "Computer configuration settings disabled".
Thanks for reporting this, we will get it fixed 👍