Solved

removing all domain users from the local admin group

Posted on 2011-03-16
6
336 Views
Last Modified: 2012-05-11
hello all...
we have and domain network consisting of around 600-700 desktops/laptops in various locations. i have seen some of the users are given the local admin rights and it is a tough job for me to remove the rights going to each and every desktop/laptop. is there any solution, using GPO, deploying Scripts and other.please help me out.

thanks in advance
Eswar

0
Comment
Question by:eswarchandrakosuru
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 13

Assisted Solution

by:AustinComputerLabs
AustinComputerLabs earned 166 total points
ID: 35153900
0
 
LVL 42

Assisted Solution

by:kevinhsieh
kevinhsieh earned 166 total points
ID: 35154748
The part you are looking for in the above thread is to use Restricted Groups in the group policy. It adds and removes membership to exactly match what you want, which is probably local administrator and domain admins.
0
 
LVL 51

Accepted Solution

by:
Netman66 earned 168 total points
ID: 35156334
In order to do this without screwing up any servers, you need to make sure all your PCs are located in a separate OU (or OUs) - note that the default Computers container is NOT an OU.

Once that is done, create and link a new GPO to this OU (or multiple OUs)
Drill into the GPO settings to:
Computer Config>Windows Settings>Security Settings
Right click on Restricted Groups and select Add Group
Type in the name manually - Administrators
Press Ok.
On the next property sheet - in the top pane (Members of this Group), press Add.
Manually type in Administrator, then press OK.
Repeat the Add process, this time Browse to the Domain Admin group.
Press OK to compete then OK once more to make it happen.

Allow it time to hit the workstations.

Keep in mind now that this policy ENFORCES membership of the local Administrators group to only what you selected above.  Which means, anyone else that is added locally on the machine will be removed at new policy refresh (about every 90 minutes).  If you require local people to have Admin rights to certain machines, then you'll have to split up the machines into different OUs so you can apply different Restricted Group policies to each grouping of machines.

Hope this helps.
0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 35163060
Have you also considered preventing users from loging on locally group policy object?
0
 
LVL 70

Expert Comment

by:Qlemo
ID: 36046104
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

Revamp Your Training Process

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains the steps required to use the default Photos screensaver to display branding/corporate images
A hard and fast method for reducing Active Directory Administrators members.
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question