We help IT Professionals succeed at work.

How can I change some locam administrator accounts to local restricted account in a domain

How can I change some locam administrator accounts to local restricted account in a domain
Comment
Watch Question

Top Expert 2012

Commented:
Can you please explain in more detail?

If I may put the question in another way, do you want to restrict the Local Administratos Group once the Computer has been added into an Active Directory Domain ?
Top Expert 2013

Commented:
If you want to define the local groups for domain machines use restricted groups, great writeup by Florian

http://www.frickelsoft.net/blog/?p=13

...but like the others said we may need some clarification.

Thanks

Mike

Author

Commented:
I have 600 computer in my domain. There are 600 Domain user also. These Domain users have administrator rights in their computer locally. I want to change this to Restricted acount. You know, when you join a computer to the Domain, you are asked to select (Power user / Restricted user / Administration). Also when you open Contral panel - User Accounts and select a user properties There are 3 choice. Here, I want to select "Restricted" for all. but I want to do it in bulk transaction as you guess. I hope that it is clear. Thank you very much.

Author

Commented:
Sorry, I want to change all Local administrator account password too.
Top Expert 2013

Commented:
I'd then use restricted groups to define your own groups/users for the local admin group.   Florian's blog has all the info but test it out on a few machines first to get a feel for it.

Just remember users will no longer be local admins and you will get complaints...but it is the right thing to do.

Thanks

Mike
Its always difficult to balance User Friendliness with Security in mind.

Author

Commented:
In Florian's blog explanation, it is talked about a group "LocalAdmins" which was created by the Domain Administrator (me). Does that group contains the computer names those I want to put restricted?
Top Expert 2013

Commented:
You link the Group Policy to the OU that contains your computers (or at the domain level if you want every machine to have the restrictions)   Then you add the groups you want and they will be added to the local admin group on the machines.

Thanks

Mike

Author

Commented:
I am very very sorry. I know I must link the GPO to the OU. But somehow I can not understand when I put group (this group will include users ?) upper side (members) what will happen? Sorry If I am so idiot.
Top Expert 2013

Commented:
You are not an idiot.

So you create the group in AD...it won't include any users, you will populate the group with members.   then you can use restricted groups to add that group to the local admin group on the workstations.

Thanks

Mike
mkline71's solution will work well for removing local users as admins.
I have a second suggestion that will also allow you to change the passwords.
New Group Policy Prefferences. As long as you have at least one Vista/2008 or newer box on your network you can use them to change usernames and passwords.
 

New-Bitmap-Image.bmp
Opps....
 

Pref.png

Author

Commented:
Anyway it did not work. There are somthing complex. My target is: "You know, when you join a computer to the Domain, you are asked to select (Power user / Restricted user / Administration). Also when you open Contral panel - User Accounts and select a user properties There are 3 choice. Here, I want to select "Restricted" for all. but I want to do it in bulk transaction as you guess."
Is there any way to do this without using Restricted groups
Both those solutions should work. Where did you run into trouble? You will need to make at least 1 local admin account on each computer. Then set your restricted group to have only that one local user, and domain admins as local administrators on your computers.
Commented:
This script is removing local user from local administrator:
Dim network, group, user
Set network = CreateObject("WScript.Network")
Set group = GetObject("WinNT://" & network.ComputerName & "/Administrators,group")
For Each user In group.members
If UCase(user.name) <> "ADMINISTRATOR" And UCase(user.name) <> "DOMAIN ADMINS" Then
group.remove user.adspath
End If
Next