Solved

removing all domain users from the local admin group

Posted on 2011-03-16
6
330 Views
Last Modified: 2012-05-11
hello all...
we have and domain network consisting of around 600-700 desktops/laptops in various locations. i have seen some of the users are given the local admin rights and it is a tough job for me to remove the rights going to each and every desktop/laptop. is there any solution, using GPO, deploying Scripts and other.please help me out.

thanks in advance
Eswar

0
Comment
Question by:eswarchandrakosuru
6 Comments
 
LVL 13

Assisted Solution

by:AustinComputerLabs
AustinComputerLabs earned 166 total points
ID: 35153900
0
 
LVL 42

Assisted Solution

by:kevinhsieh
kevinhsieh earned 166 total points
ID: 35154748
The part you are looking for in the above thread is to use Restricted Groups in the group policy. It adds and removes membership to exactly match what you want, which is probably local administrator and domain admins.
0
 
LVL 51

Accepted Solution

by:
Netman66 earned 168 total points
ID: 35156334
In order to do this without screwing up any servers, you need to make sure all your PCs are located in a separate OU (or OUs) - note that the default Computers container is NOT an OU.

Once that is done, create and link a new GPO to this OU (or multiple OUs)
Drill into the GPO settings to:
Computer Config>Windows Settings>Security Settings
Right click on Restricted Groups and select Add Group
Type in the name manually - Administrators
Press Ok.
On the next property sheet - in the top pane (Members of this Group), press Add.
Manually type in Administrator, then press OK.
Repeat the Add process, this time Browse to the Domain Admin group.
Press OK to compete then OK once more to make it happen.

Allow it time to hit the workstations.

Keep in mind now that this policy ENFORCES membership of the local Administrators group to only what you selected above.  Which means, anyone else that is added locally on the machine will be removed at new policy refresh (about every 90 minutes).  If you require local people to have Admin rights to certain machines, then you'll have to split up the machines into different OUs so you can apply different Restricted Group policies to each grouping of machines.

Hope this helps.
0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 35163060
Have you also considered preventing users from loging on locally group policy object?
0
 
LVL 69

Expert Comment

by:Qlemo
ID: 36046104
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
This article outlines the process to identify and resolve account lockout in an Active Directory environment.
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question