ODMAD: Issue during Cutover, local Remote Desktop Group User not being populated
The issue is caused by target domain Security Baseline GPO
When machine is joined to the new domain:
Group Policy Objects (GPOs) from the target domain begin applying.
If the domain is using a security baseline GPO, like Microsoft's Security Baseline for Windows 11 23H2 (or later), it likely includes policies that manage local group memberships, including Restricted Groups or Group Policy Preferences (GPP).
If those policies are configured to define the membership of the Remote Desktop Users group, then:
All existing local users or domain users in that group will be removed.
Only the accounts specified in the GPO will remain.
If using Group Policy Preferences:
Change the action from Replace → Update.
Add required domain groups/users to the Remote Desktop Users group via GPP.
Create a temporary GPO scoped to OUs for migrated machines.
Use GPP to add the required users/groups to Remote Desktop Users without affecting what's already there.
Once migration is complete and user access is standardized, remove or adjust as needed.
Please note, that ODMAD ReACL will correctly process the RDP Users group according to mappings. The problem is caused by target domain GPOs and fixing them is outside of ODMAD scope.
