Disable local admin account on domain

Hi Experts

I manage a domain where all users are local admin, I would like to change this as we are getting a lot of viruses. However we are using software which needs to be constantly updated, it wont be practical to keep on having to go and enter the domain admin account details for each user as they need to update, is there a way around this issue?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Mohammed KhawajaManager - Infrastructure:  Information TechnologyCommented:
There are two options:

1. Group Policy:  Security Groups options where you choose the group memberships (this does not allow users to be added manually and GPO must be used to change group memberships)
2. Group Policy:  Computer startup group where you could add/remove local admin group members via a script
coreccAuthor Commented:
Hi, thanks, option 2 sounds good but the issue is how do I allow a third party application to install updates if the user isn't local admin?
Jason WatkinsIT Project LeaderCommented:
Does the software have to be run as an administrator? If not, you could make the user's account regular account and give them a second administrative account, which they could use to update the software. If you are using Windows Vista, 7 or 8 you UAC could be used to run the software as an administrator without having to login as such.
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

you can deploy software/updates through group policies. Then all your users could be standard users
Nagendra Pratap SinghDesktop Applications SpecialistCommented:
You can use WSUS + SCUP. Or perhaps something larger like SCCM/Altiris.

There are thousands of pages explaining the functioning of these tools on the net.
SandeshdubeySenior Server EngineerCommented:
I will recommend to rename the local administrator account and reset the password to complex instead of disabling the same.As if the clients cannot login to domain an in case if the secure channel of client is broken you need to login locally and perform disjoin opretation.http://www.techrepublic.com/blog/the-enterprise-cloud/change-local-username-and-password-via-group-policy/

For software update  by GP see this:http://technet.microsoft.com/en-us/library/cc783421(v=ws.10).aspx
You can remove administrative rights following mnkhawaja comments and you can install the application using GPO or if a manual interaction is required you can use something like RunasSpc from Robotronic.


This is a runas where you can encrypt the admin password

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
coreccAuthor Commented:
Thanks guys, these are all really useful solutions
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.