Solved

Disable Local Admins From Installing Software

Posted on 2009-06-30
1
211 Views
Last Modified: 2013-12-05
Initially, an application we had required local admin rights.  That requirement has been changed but we in I.T. are left with the headache that it leaves behind.  We have around 200 PC's all with local admin rights.  I have two questions:

#1)  How can we change their local group membership via a group policy object (GPO)?
#2)  If number one can't be done, how can we stop local admins from installing software?

Environment info:
Windows 2003 domain w/ active directory
50% Windows 2000
50% Windows XP

Appreciate any ideas or thoughts!
0
Comment
Question by:bschwarting
1 Comment
 
LVL 83

Accepted Solution

by:
oBdA earned 500 total points
ID: 24745151
You can do that with a "Restricted Groups" policy.
Using the "This group has the following members" is "desctructive", the group will have exactly tge members as defined in the policy (so don't forget to add "Administrators" and "Domain Administrators"!). This is what you'll need.
Using "This group is a member of" is "additive", the given group will be added while leaving the other members intact.

Description of Group Policy Restricted Groups
http://support.microsoft.com/kb/279301 - Similar

Updates to Restricted Groups ("Member of") behavior of user-defined local groups
http://support.microsoft.com/kb/810076 - Similar

#2 can't be achieved in a secure way. A local administrator is a local administrator, any restrictions imposed on this account can be undone. After all, that's what this account is for.
0

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A quick step-by-step overview of installing and configuring Carbonite Server Backup.
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

816 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now