Solved

Disable Local Admins From Installing Software

Posted on 2009-06-30
1
207 Views
Last Modified: 2013-12-05
Initially, an application we had required local admin rights.  That requirement has been changed but we in I.T. are left with the headache that it leaves behind.  We have around 200 PC's all with local admin rights.  I have two questions:

#1)  How can we change their local group membership via a group policy object (GPO)?
#2)  If number one can't be done, how can we stop local admins from installing software?

Environment info:
Windows 2003 domain w/ active directory
50% Windows 2000
50% Windows XP

Appreciate any ideas or thoughts!
0
Comment
Question by:bschwarting
1 Comment
 
LVL 83

Accepted Solution

by:
oBdA earned 500 total points
ID: 24745151
You can do that with a "Restricted Groups" policy.
Using the "This group has the following members" is "desctructive", the group will have exactly tge members as defined in the policy (so don't forget to add "Administrators" and "Domain Administrators"!). This is what you'll need.
Using "This group is a member of" is "additive", the given group will be added while leaving the other members intact.

Description of Group Policy Restricted Groups
http://support.microsoft.com/kb/279301 - Similar

Updates to Restricted Groups ("Member of") behavior of user-defined local groups
http://support.microsoft.com/kb/810076 - Similar

#2 can't be achieved in a secure way. A local administrator is a local administrator, any restrictions imposed on this account can be undone. After all, that's what this account is for.
0

Join & Write a Comment

Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
Introduction You may have a need to setup a group of users to allow local administrative access on workstations.  In a domain environment this can easily be achieved with Restricted Groups and Group Policies. This article will demonstrate how to…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now