Removing interactive user from the local administrators group
Hi guys,
Hope you are all well and can assist.
We currently have a scenario in our environment where ALL Windows XP users are members of the local administrators group by way of adding the INTERACTIVE group to the local administrators group.
The reason we did this was for various reasons including allowing tasks and processes to run under the context of the currently logged on user.
However, what we have discovered, is that these same users can remote desktop to ALL machines in our environment since they are part of this interactive group in the local admins.
We are moving to Windows 7.
We wish to stop users being able to remote desktop to other peoples' systems, but at the same time, allow them administrator access on their own machine.
Any help on this would be greatly appreciated.
Hope you are all well and can assist.
We currently have a scenario in our environment where ALL Windows XP users are members of the local administrators group by way of adding the INTERACTIVE group to the local administrators group.
The reason we did this was for various reasons including allowing tasks and processes to run under the context of the currently logged on user.
However, what we have discovered, is that these same users can remote desktop to ALL machines in our environment since they are part of this interactive group in the local admins.
We are moving to Windows 7.
We wish to stop users being able to remote desktop to other peoples' systems, but at the same time, allow them administrator access on their own machine.
Any help on this would be greatly appreciated.
ASKER
Hi ivanoviola,
Thanks so much for your help.
So, can I just confirm with you,
Do you guys add the user to the local administrators group?
For what reasons did you guys decide to make the user a member of the local admins group?
Really appreciate your help.
Thanks so much for your help.
So, can I just confirm with you,
Do you guys add the user to the local administrators group?
For what reasons did you guys decide to make the user a member of the local admins group?
Really appreciate your help.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks ivanoviola, really appreciate your help on this.
ASKER
Thanks so much.
Remove all users/groups from the local Administrators and Users groups. We then added the local Administrator account, Domain Admins (domain group), TechTeam (domain group) and the user account of the person using the computer into both groups.
For Remote Desktop....under "Select Users"
We remove all users/groups and just add the Domain Admins group.
This works fine for us.