Disable Local Admins From Installing Software

Initially, an application we had required local admin rights.  That requirement has been changed but we in I.T. are left with the headache that it leaves behind.  We have around 200 PC's all with local admin rights.  I have two questions:

#1)  How can we change their local group membership via a group policy object (GPO)?
#2)  If number one can't be done, how can we stop local admins from installing software?

Environment info:
Windows 2003 domain w/ active directory
50% Windows 2000
50% Windows XP

Appreciate any ideas or thoughts!
Who is Participating?
oBdAConnect With a Mentor Commented:
You can do that with a "Restricted Groups" policy.
Using the "This group has the following members" is "desctructive", the group will have exactly tge members as defined in the policy (so don't forget to add "Administrators" and "Domain Administrators"!). This is what you'll need.
Using "This group is a member of" is "additive", the given group will be added while leaving the other members intact.

Description of Group Policy Restricted Groups
http://support.microsoft.com/kb/279301 - Similar

Updates to Restricted Groups ("Member of") behavior of user-defined local groups
http://support.microsoft.com/kb/810076 - Similar

#2 can't be achieved in a secure way. A local administrator is a local administrator, any restrictions imposed on this account can be undone. After all, that's what this account is for.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.