Permissions: Removing users from Domain Admins group

Hi,
The previous IT guy who left our company thought it was best and easiest to make all users Domain Admins.
I removed a couple of users from the list last night for testing and this morning they couldn't log into Vista bescause it was complaing that permissions were set and things couldn't run and install, how would I go about removing them with no problems.
Thanks
Techno-Man-ukAsked:
Who is Participating?
 
AmericomCommented:
It seems like the users you removed from the Domain Admins group needs local administrators right to run application in their Vista machines. By default, the Domain Admins group is a member of the Local Administrators group for all machines joined to the domain. By removing the user account out of this Domain Admins group you removed the local Admin right to their Vista machine. If you are familiar with GPO, the method oBdA suggest is the way to go and but you must test it and get familiar with it to use it successfully.
The other things to do is what you are trying is the right thing to do, that is remove all users who does not need to be in the Domain Admins group. It is just too crazy to add all users in this group.

For those two user that you removed and running into problem, for now, just add the domain user account to their Vista's local Administrators group and they should be fine. But in the long run, if these are just end users, they may not need Admin rights as they shouldn't be the one to be able to install whatever they want on a domain computer. So, if all users already in the Domain Admins group, many users could have getting use to the admin right and once you remove them off the Domain Admins group, they may experience problem...a lot of clean up.
0
 
lamaslanyCommented:
Are they logging on locally?

Do they need to be local administrators on their workstations?  
0
 
Techno-Man-ukAuthor Commented:
no they are logging on to a domain and they dont need to be administrators except a couple of users
0
 
oBdACommented:
For the time being, to remove them from Domain Admins at least, create a domain local group "WorkstationAdmin" or whatever.
Use a "Restricted Groups" policy (add "WorkstationAdmin" as restricted group and choose "This group is a member of: Administrators"; do NOT add "Administraors" as restricted group; the former is additive, the latter would remove any local admin accounts other than the ones you specify in the policy) applied to your workstations (start with a test workstation ...).
Add the group "Domain Users" to the group "Workstation Admins".
Then you'll need to take a regular workstation and adjust the logon scripts and permissions so that a regular user can use the machine. At that point, remove the Domain Users from the WorkstationAdmin group.
0
 
smacky81Commented:
What you can do, is remove them all from Domain Admins and make sure they are all members of Domain Users.

If you wish to give them Local Admin rights (ie: on their computer) then on the computer right click computer > manage > local users and groups > Administrators > Add Domain Users

Not sure if that is how you access on Vista, though it is correct for XP, effectively get into Manage Computer, and add Domain Users to Administrators group on the local computer and this will apply sufficient rights to use the computer, without giving everyone full access to files on the network.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.