?
Solved

Disable Local Admins From Installing Software

Posted on 2009-06-30
1
Medium Priority
?
220 Views
Last Modified: 2013-12-05
Initially, an application we had required local admin rights.  That requirement has been changed but we in I.T. are left with the headache that it leaves behind.  We have around 200 PC's all with local admin rights.  I have two questions:

#1)  How can we change their local group membership via a group policy object (GPO)?
#2)  If number one can't be done, how can we stop local admins from installing software?

Environment info:
Windows 2003 domain w/ active directory
50% Windows 2000
50% Windows XP

Appreciate any ideas or thoughts!
0
Comment
Question by:bschwarting
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 85

Accepted Solution

by:
oBdA earned 2000 total points
ID: 24745151
You can do that with a "Restricted Groups" policy.
Using the "This group has the following members" is "desctructive", the group will have exactly tge members as defined in the policy (so don't forget to add "Administrators" and "Domain Administrators"!). This is what you'll need.
Using "This group is a member of" is "additive", the given group will be added while leaving the other members intact.

Description of Group Policy Restricted Groups
http://support.microsoft.com/kb/279301 - Similar

Updates to Restricted Groups ("Member of") behavior of user-defined local groups
http://support.microsoft.com/kb/810076 - Similar

#2 can't be achieved in a secure way. A local administrator is a local administrator, any restrictions imposed on this account can be undone. After all, that's what this account is for.
0

Featured Post

Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question