Permissions: Removing users from Domain Admins group

Posted on 2009-04-28
Last Modified: 2012-05-06
The previous IT guy who left our company thought it was best and easiest to make all users Domain Admins.
I removed a couple of users from the list last night for testing and this morning they couldn't log into Vista bescause it was complaing that permissions were set and things couldn't run and install, how would I go about removing them with no problems.
Question by:Techno-Man-uk
    LVL 19

    Expert Comment

    Are they logging on locally?

    Do they need to be local administrators on their workstations?  

    Author Comment

    no they are logging on to a domain and they dont need to be administrators except a couple of users
    LVL 82

    Assisted Solution

    For the time being, to remove them from Domain Admins at least, create a domain local group "WorkstationAdmin" or whatever.
    Use a "Restricted Groups" policy (add "WorkstationAdmin" as restricted group and choose "This group is a member of: Administrators"; do NOT add "Administraors" as restricted group; the former is additive, the latter would remove any local admin accounts other than the ones you specify in the policy) applied to your workstations (start with a test workstation ...).
    Add the group "Domain Users" to the group "Workstation Admins".
    Then you'll need to take a regular workstation and adjust the logon scripts and permissions so that a regular user can use the machine. At that point, remove the Domain Users from the WorkstationAdmin group.
    LVL 2

    Assisted Solution

    What you can do, is remove them all from Domain Admins and make sure they are all members of Domain Users.

    If you wish to give them Local Admin rights (ie: on their computer) then on the computer right click computer > manage > local users and groups > Administrators > Add Domain Users

    Not sure if that is how you access on Vista, though it is correct for XP, effectively get into Manage Computer, and add Domain Users to Administrators group on the local computer and this will apply sufficient rights to use the computer, without giving everyone full access to files on the network.
    LVL 18

    Accepted Solution

    It seems like the users you removed from the Domain Admins group needs local administrators right to run application in their Vista machines. By default, the Domain Admins group is a member of the Local Administrators group for all machines joined to the domain. By removing the user account out of this Domain Admins group you removed the local Admin right to their Vista machine. If you are familiar with GPO, the method oBdA suggest is the way to go and but you must test it and get familiar with it to use it successfully.
    The other things to do is what you are trying is the right thing to do, that is remove all users who does not need to be in the Domain Admins group. It is just too crazy to add all users in this group.

    For those two user that you removed and running into problem, for now, just add the domain user account to their Vista's local Administrators group and they should be fine. But in the long run, if these are just end users, they may not need Admin rights as they shouldn't be the one to be able to install whatever they want on a domain computer. So, if all users already in the Domain Admins group, many users could have getting use to the admin right and once you remove them off the Domain Admins group, they may experience problem...a lot of clean up.

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    Join & Write a Comment

    I know all systems administrator at some time or another has had to create a script to copy file from a server share to a desktop. Well now there is an easy way to do this in Group Policy. Using Group policy preferences is not hard. The first thing …
    A quick step-by-step overview of installing and configuring Carbonite Server Backup.
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

    731 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    15 Experts available now in Live!

    Get 1:1 Help Now