Solved

Remove Local Admin Rights from all computers in a specific OU

Posted on 2009-04-14
14
202 Views
Last Modified: 2013-11-05
When our computers were configured, users were added locally to the administrators group.  I would like to remove all users from the administrator group & put them in the Power Users group instead.  That said, we have over 250 computers with this set up, so I am looking for a way to do a GPO per OU that can do this.  I found an article online, but it looks to only pertain to Server 2008 & Vista.  All of our clients are XP Pro SP2 or SP3 & our domain is Server 2003.

Please let me know what can be done to accomplish this.

Thanks!
0
Comment
Question by:rustyrpage
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 6
14 Comments
 
LVL 10

Expert Comment

by:Darylx
ID: 24138864
Configure a GPO on the OU and configure the "Restricted Groups" setting so that the local Administrators group contains only the Domain Admins group.
0
 
LVL 10

Expert Comment

by:Darylx
ID: 24138943
0
 
LVL 6

Author Comment

by:rustyrpage
ID: 24138977
So help me out with this one - I will create a new restricted group with my domain admins group only....how will I actually remove the local users from the administrator group (as they are manually there already)....how will I add the current users to the Power Users group?
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 10

Accepted Solution

by:
Darylx earned 500 total points
ID: 24139121
"Add" a group named Administrators.  In the members section, enter "yourdomain\domain admins".  Every time the GPO refreshes, everyone except domain administrators will be removed from the administrators group.

Adding the users to the Power Users group will be more difficult if you only want the 'user' of a particular PC to be in the power users group.  If you don't mind all users being in the power users group on all PCs, you could add the domain users group to the Power Users group.

Add another group named "Power Users".  Add "yourdomain\domain users" to the power users group.
0
 
LVL 6

Author Comment

by:rustyrpage
ID: 24139144
So the name of the Security Group is the local group.

Are there downsides to adding everyone to Power Users?
0
 
LVL 6

Author Comment

by:rustyrpage
ID: 24139174
Okay - I did it as a test to a subset of computers, I'll let you know.
0
 
LVL 6

Author Comment

by:rustyrpage
ID: 24139180
What about system & the other local login accounts?  Will they be removed?
0
 
LVL 10

Expert Comment

by:Darylx
ID: 24139600
It won't affect the System account - the system account isn't listed in the Administrators group.  Other local accounts will be removed.  I forgot to mention above... you should list "Administrator" in the membership of the Adminstrators group as well as domain admins.

The obvious downside to have everyone in the Power Users group is that everyone will get power user rights on the computers.  Power Users can do most things on a PC.  This is still more secure than having everyone in the administrators group though.
0
 
LVL 6

Author Comment

by:rustyrpage
ID: 24139608
Can a Power User install an application though?  That is the key we're trying to stop...however, we do have several on-line websites (Salesforce.com etc) that use ActiveX controls & that has been our major issue all along.

We have local administrator disabled at every computer, so that shouldn't be an issue =)
0
 
LVL 6

Author Comment

by:rustyrpage
ID: 24142989
One other thing - can Power User see/modify/delete other user profile's data?  In other words, if someone is the primary user, can a secondary user come, log in & see the primary user's information (My documents etc)
0
 
LVL 10

Expert Comment

by:Darylx
ID: 24145491
A Power User will be able to install some but not all applications.  They won't be able to see into another user's profile folders.
0
 
LVL 10

Expert Comment

by:Darylx
ID: 24145503
If you don't want users installing software, I would just leave them in the default Users group.  If they need some Active X controls for your corporate websites, you could look at using Group Policy to install the required Active X controls.
0
 
LVL 6

Author Comment

by:rustyrpage
ID: 24148200
The issue with the active-X is that we don't know when it comes out etc & to have to create a GPO every time wouldn't be efficient.  That said, I may limit power users just to certain groups.

Thanks for the feedback!
0
 
LVL 6

Author Comment

by:rustyrpage
ID: 24169682
Why is it that all of the users that were removed from the administrators group were dumped into the debugging users group?
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

So you have two Windows Servers and you have a directory/folder/files on one that you'd like to mirror to the other?  You don't really want to deal with DFS or a 3rd party solution like Doubletake. You can use Robocopy from the Windows Server 200…
I've always wanted to allow a user to have a printer no matter where they login. The steps below will show you how to achieve just that. In this Article I'll show how to deploy printers automatically with group policy and then using security fil…
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question