Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

removing all domain users from the local admin group

Posted on 2011-03-16
6
Medium Priority
?
347 Views
Last Modified: 2012-05-11
hello all...
we have and domain network consisting of around 600-700 desktops/laptops in various locations. i have seen some of the users are given the local admin rights and it is a tough job for me to remove the rights going to each and every desktop/laptop. is there any solution, using GPO, deploying Scripts and other.please help me out.

thanks in advance
Eswar

0
Comment
Question by:eswarchandrakosuru
5 Comments
 
LVL 13

Assisted Solution

by:AustinComputerLabs
AustinComputerLabs earned 664 total points
ID: 35153900
0
 
LVL 42

Assisted Solution

by:kevinhsieh
kevinhsieh earned 664 total points
ID: 35154748
The part you are looking for in the above thread is to use Restricted Groups in the group policy. It adds and removes membership to exactly match what you want, which is probably local administrator and domain admins.
0
 
LVL 51

Accepted Solution

by:
Netman66 earned 672 total points
ID: 35156334
In order to do this without screwing up any servers, you need to make sure all your PCs are located in a separate OU (or OUs) - note that the default Computers container is NOT an OU.

Once that is done, create and link a new GPO to this OU (or multiple OUs)
Drill into the GPO settings to:
Computer Config>Windows Settings>Security Settings
Right click on Restricted Groups and select Add Group
Type in the name manually - Administrators
Press Ok.
On the next property sheet - in the top pane (Members of this Group), press Add.
Manually type in Administrator, then press OK.
Repeat the Add process, this time Browse to the Domain Admin group.
Press OK to compete then OK once more to make it happen.

Allow it time to hit the workstations.

Keep in mind now that this policy ENFORCES membership of the local Administrators group to only what you selected above.  Which means, anyone else that is added locally on the machine will be removed at new policy refresh (about every 90 minutes).  If you require local people to have Admin rights to certain machines, then you'll have to split up the machines into different OUs so you can apply different Restricted Group policies to each grouping of machines.

Hope this helps.
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 35163060
Have you also considered preventing users from loging on locally group policy object?
0
 
LVL 71

Expert Comment

by:Qlemo
ID: 36046104
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Here's a look at newsworthy articles and community happenings during the last month.
In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question