After rebooting for this month's security updates, we're unable to logon to our DCs with our Domain Admin accounts, via RDP nor locally. We get a message that says "the user has not been granted the requested logon type at this computer". I discovered that the local administrators group on the DCs no longer contains the Domain Admins or Enterprise Admins groups, but it does contain the local administrator account. I'm aware that I can manually run a command to add those groups back, but is that the best approach to resolve this? Also, if I add a group to the local admins on one DC, will that replicate to all DCs?
Some details:
We're running all Windows Server 2012 R2 DCs on 2008 R2 Forest and Domain level functionality. We have a hub and spoke topoligy. Replication appears to be working.
We're still able to manage the domain with our Domain Admin accounts via mmc from other hosts, so this seems to only affect local authentication to DCs.
Gpresults doesn't show any GPOs manipulating the local Administrators group.