Domain Users automatically added to Local Power Users

I am having this weird problem, where every morning the Domain Users group is automatically added to the Local Power Users in all my terminal servers. Every day I will remove the group, but is added again. While looking at my security events discovered these two suspicious entries.

Event Type: Success Audit
Event Source: Security
Event Category: Account Management
Event ID: 636
Date: 9/9/2007
Time: 6:45:28 AM
User: NT AUTHORITY\SYSTEM
Computer: OEC-TS1
Description:
Security Enabled Local Group Member Added:
Member Name: -
Member ID: OECINC\Domain Users
Target Account Name: Power Users
Target Domain: Builtin
Target Account ID: BUILTIN\Power Users
Caller User Name: OEC-TS1$
Caller Domain: OECINC
Caller Logon ID: (0x0,0x3E7)
Privileges: -



Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 576
Date: 9/9/2007
Time: 6:45:27 AM
User: NT AUTHORITY\SYSTEM
Computer: OEC-TS1
Description:
Special privileges assigned to new logon:
User Name: OEC-TS1$
Domain: OECINC
Logon ID: (0x0,0x4C9953)
Privileges: SeSecurityPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
SeSystemEnvironmentPrivilege
SeLoadDriverPrivilege
SeImpersonatePrivilege

I really don’t want my users to be power users under this terminal server environment. Any help here will be really appreciated, since I am losing my mind on this one. I have done research on this and found nothing so far.

 

from http://www.microsoft.com/technet/archive/termsrv/maintain/security/securaud.mspx?mfr=true


SOFTWARE\Microsoft\Windows

This subkey contains a number of system defaults including some desktop default icons and even the tips that are displayed after logon. Although some subkeys have the Everyone group set to Read, a large number of them allow this group to update values and add keys. Only a few subkeys allow the deletion of values or keys.

It is interesting to note that most of these keys include permissions for the Power Users group. We prefer not to utilize this group at all, so when possible we eliminate the permissions for Power Users. You may want to keep them, but we suggest that you keep careful track of what users are members of the local Power Users group.

Warning: The default permissions for the local Power Users group on TSE are identical to those for a regular NT workstation. This includes allowing a power user to shut down a Terminal Server.

We suggest that you modify the permissions for the Windows key and all subkeys from the default to the following:
Default Permissions Suggested Permissions

Full Control: CREATOR OWNER, Administrators, SYSTEM


Full Control: CREATOR OWNER, Administrators, SYSTEM

Special Access (QSCENR): Everyone


Read: Everyone

Special Access (QSCENDR) Power Users:


Replace permissions on existing subkeys.