Solved

removing all domain users from the local admin group

Posted on 2011-03-16
6
338 Views
Last Modified: 2012-05-11
hello all...
we have and domain network consisting of around 600-700 desktops/laptops in various locations. i have seen some of the users are given the local admin rights and it is a tough job for me to remove the rights going to each and every desktop/laptop. is there any solution, using GPO, deploying Scripts and other.please help me out.

thanks in advance
Eswar

0
Comment
Question by:eswarchandrakosuru
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 13

Assisted Solution

by:AustinComputerLabs
AustinComputerLabs earned 166 total points
ID: 35153900
0
 
LVL 42

Assisted Solution

by:kevinhsieh
kevinhsieh earned 166 total points
ID: 35154748
The part you are looking for in the above thread is to use Restricted Groups in the group policy. It adds and removes membership to exactly match what you want, which is probably local administrator and domain admins.
0
 
LVL 51

Accepted Solution

by:
Netman66 earned 168 total points
ID: 35156334
In order to do this without screwing up any servers, you need to make sure all your PCs are located in a separate OU (or OUs) - note that the default Computers container is NOT an OU.

Once that is done, create and link a new GPO to this OU (or multiple OUs)
Drill into the GPO settings to:
Computer Config>Windows Settings>Security Settings
Right click on Restricted Groups and select Add Group
Type in the name manually - Administrators
Press Ok.
On the next property sheet - in the top pane (Members of this Group), press Add.
Manually type in Administrator, then press OK.
Repeat the Add process, this time Browse to the Domain Admin group.
Press OK to compete then OK once more to make it happen.

Allow it time to hit the workstations.

Keep in mind now that this policy ENFORCES membership of the local Administrators group to only what you selected above.  Which means, anyone else that is added locally on the machine will be removed at new policy refresh (about every 90 minutes).  If you require local people to have Admin rights to certain machines, then you'll have to split up the machines into different OUs so you can apply different Restricted Group policies to each grouping of machines.

Hope this helps.
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 35163060
Have you also considered preventing users from loging on locally group policy object?
0
 
LVL 70

Expert Comment

by:Qlemo
ID: 36046104
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…
Suggested Courses

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question