[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 723
  • Last Modified:

How to remove Security Group from Local Administrators group

I modified the Domain Group policy (through Restricted Groups setting) to allow the security group "STAFF" to be members of the "ADMINISTRATORS" group.

Now that our CMS software upgrade is complete, I want to remove the "STAFF" security group from the Local Administrators group on all the office workstations.  What is the best way to do that?

I already tried amending the Domain Group policy's "RESTRICTED GROUPs" to remove "STAFF" but even after refreshing Group Policy on the local workstations the security group "STAFF" is still present in the "LOCAL ADMINISTRATORS" group.  Please tell me I do not have to manually remove this group on each PC!
0
dealvis
Asked:
dealvis
  • 3
  • 3
1 Solution
 
snoopfroggCommented:
Verify that you're using the "Members" Restricted Group list versus the "MemberOf" list.  

Description of Group Policy Restricted Groups
http://support.microsoft.com/kb/279301

From http://www.windowsecurity.com/articles/Using-Restricted-Groups.html:

Members of this group  This setting allows you to control the members of the group that you specify for the policy. The members can include both user and group accounts. When you configure the members of a group, it will overwrite the existing membership of the group and replace the members with those specified within the GPO. If you were to configure this setting and leave the members blank, then the group would not have any members after the GPO applied to the computer.
0
 
dealvisAuthor Commented:
Are U saying I need to specify the allowed membership of the Local Administrators Group via Group Policy to remove our staff members security group from the Local Admins group on the office computer they use?
0
 
snoopfroggCommented:
Right.  The "Members" list specifies which users and/or groups will be members of the local administrators group on computers affected by the GPO.  

Any users or groups not listed in the GPO will be removed from the local administrators group when Group Policy refreshes on computers.  On the other hand, if a user or group is listed in the GPO but is not found on a computer's local administrator's group, the user or group will be added.
0
Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

 
dealvisAuthor Commented:
OK, I see your solution should work but was wondering how to prevent my laptop users from being removed from the Local Admins group if I do what you say?  Should I put the laptop users in a security group and exempt the policy from applying to them?
0
 
snoopfroggCommented:
Regarding laptop users, your solution will work fine- place the users in a security group, then add that security group to the Members list.  This will add the security group to Local Administrators group on your affected workstations and laptops.  

I'm assuming you want laptop users to be Local Administrators on laptops only.  If so, create a separate GPO and apply it to an OU containing the computer accounts belonging to your laptops.  Modify the Members list to include the security group containing laptop users.
0
 
dealvisAuthor Commented:
Your directions on the proper use of GP for this situation was exactly what I am trying to implement - Thanks.
0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now