Solved

removing all domain users from the local admin group

Posted on 2011-03-16
6
323 Views
Last Modified: 2012-05-11
hello all...
we have and domain network consisting of around 600-700 desktops/laptops in various locations. i have seen some of the users are given the local admin rights and it is a tough job for me to remove the rights going to each and every desktop/laptop. is there any solution, using GPO, deploying Scripts and other.please help me out.

thanks in advance
Eswar

0
Comment
Question by:eswarchandrakosuru
6 Comments
 
LVL 13

Assisted Solution

by:AustinComputerLabs
AustinComputerLabs earned 166 total points
Comment Utility
0
 
LVL 42

Assisted Solution

by:kevinhsieh
kevinhsieh earned 166 total points
Comment Utility
The part you are looking for in the above thread is to use Restricted Groups in the group policy. It adds and removes membership to exactly match what you want, which is probably local administrator and domain admins.
0
 
LVL 51

Accepted Solution

by:
Netman66 earned 168 total points
Comment Utility
In order to do this without screwing up any servers, you need to make sure all your PCs are located in a separate OU (or OUs) - note that the default Computers container is NOT an OU.

Once that is done, create and link a new GPO to this OU (or multiple OUs)
Drill into the GPO settings to:
Computer Config>Windows Settings>Security Settings
Right click on Restricted Groups and select Add Group
Type in the name manually - Administrators
Press Ok.
On the next property sheet - in the top pane (Members of this Group), press Add.
Manually type in Administrator, then press OK.
Repeat the Add process, this time Browse to the Domain Admin group.
Press OK to compete then OK once more to make it happen.

Allow it time to hit the workstations.

Keep in mind now that this policy ENFORCES membership of the local Administrators group to only what you selected above.  Which means, anyone else that is added locally on the machine will be removed at new policy refresh (about every 90 minutes).  If you require local people to have Admin rights to certain machines, then you'll have to split up the machines into different OUs so you can apply different Restricted Group policies to each grouping of machines.

Hope this helps.
0
 
LVL 38

Expert Comment

by:ChiefIT
Comment Utility
Have you also considered preventing users from loging on locally group policy object?
0
 
LVL 68

Expert Comment

by:Qlemo
Comment Utility
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Resolve DNS query failed errors for Exchange
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now