Solved

Disable Local Admins From Installing Software

Posted on 2009-06-30
1
219 Views
Last Modified: 2013-12-05
Initially, an application we had required local admin rights.  That requirement has been changed but we in I.T. are left with the headache that it leaves behind.  We have around 200 PC's all with local admin rights.  I have two questions:

#1)  How can we change their local group membership via a group policy object (GPO)?
#2)  If number one can't be done, how can we stop local admins from installing software?

Environment info:
Windows 2003 domain w/ active directory
50% Windows 2000
50% Windows XP

Appreciate any ideas or thoughts!
0
Comment
Question by:bschwarting
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 85

Accepted Solution

by:
oBdA earned 500 total points
ID: 24745151
You can do that with a "Restricted Groups" policy.
Using the "This group has the following members" is "desctructive", the group will have exactly tge members as defined in the policy (so don't forget to add "Administrators" and "Domain Administrators"!). This is what you'll need.
Using "This group is a member of" is "additive", the given group will be added while leaving the other members intact.

Description of Group Policy Restricted Groups
http://support.microsoft.com/kb/279301 - Similar

Updates to Restricted Groups ("Member of") behavior of user-defined local groups
http://support.microsoft.com/kb/810076 - Similar

#2 can't be achieved in a secure way. A local administrator is a local administrator, any restrictions imposed on this account can be undone. After all, that's what this account is for.
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question