• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 278
  • Last Modified:

Local admin group policy challenge!

I have a relatively small domain of 20 XP Pro workstations and 1 windows Server 2003 Standard DC.
Each user is a local admin because domain users are in the local admin group of each workstation. Is there a way to reverse this without going to each station? - the last couple of viruses have made us much more security aware. I want to turn users back to normal users to prevent software installations.
1 Solution
Mike KlineCommented:
Great idea, you don't need them to be local admins.

You can use restricted groups to do this.  Florian has a great writeup   http://www.frickelsoft.net/blog/?p=13

So as you can see you can either wipe out what is there and start fresh or add/append to what is there.

in your case I'd start fresh and define what you want.

Get a feel for it by testing on your box or a test machine first.


NET LOCALGROUP administrators UserName /delete

change UserName with required name & use this command in batch file.
Restricted groups is the better option because it enforces the setting through time as opposed to just making just a one time change.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now