Link to home
Start Free TrialLog in
Avatar of dealvis
dealvisFlag for United States of America

asked on

How to remove Security Group from Local Administrators group

I modified the Domain Group policy (through Restricted Groups setting) to allow the security group "STAFF" to be members of the "ADMINISTRATORS" group.

Now that our CMS software upgrade is complete, I want to remove the "STAFF" security group from the Local Administrators group on all the office workstations.  What is the best way to do that?

I already tried amending the Domain Group policy's "RESTRICTED GROUPs" to remove "STAFF" but even after refreshing Group Policy on the local workstations the security group "STAFF" is still present in the "LOCAL ADMINISTRATORS" group.  Please tell me I do not have to manually remove this group on each PC!
Avatar of snoopfrogg
snoopfrogg
Flag of United States of America image
Verify that you're using the "Members" Restricted Group list versus the "MemberOf" list.  

Description of Group Policy Restricted Groups
http://support.microsoft.com/kb/279301

From http://www.windowsecurity.com/articles/Using-Restricted-Groups.html:

Members of this group  This setting allows you to control the members of the group that you specify for the policy. The members can include both user and group accounts. When you configure the members of a group, it will overwrite the existing membership of the group and replace the members with those specified within the GPO. If you were to configure this setting and leave the members blank, then the group would not have any members after the GPO applied to the computer.
Avatar of dealvis
dealvis
Flag of United States of America image

ASKER

Are U saying I need to specify the allowed membership of the Local Administrators Group via Group Policy to remove our staff members security group from the Local Admins group on the office computer they use?
Avatar of snoopfrogg
snoopfrogg
Flag of United States of America image
Right.  The "Members" list specifies which users and/or groups will be members of the local administrators group on computers affected by the GPO.  

Any users or groups not listed in the GPO will be removed from the local administrators group when Group Policy refreshes on computers.  On the other hand, if a user or group is listed in the GPO but is not found on a computer's local administrator's group, the user or group will be added.
Avatar of dealvis
dealvis
Flag of United States of America image

ASKER

OK, I see your solution should work but was wondering how to prevent my laptop users from being removed from the Local Admins group if I do what you say?  Should I put the laptop users in a security group and exempt the policy from applying to them?
ASKER CERTIFIED SOLUTION
Avatar of snoopfrogg
snoopfrogg
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of dealvis
dealvis
Flag of United States of America image

ASKER

Your directions on the proper use of GP for this situation was exactly what I am trying to implement - Thanks.