Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Removing Domain Users from Local Administrators Group

Posted on 2014-01-22
4
Medium Priority
?
6,359 Views
Last Modified: 2014-02-02
Back in the day when our company was pretty small, the previous IT Administrator created a policy that inserted the "Domain Users" group into the local administrators group onto everyone workstation.

Since our company has grown, we now want to start locking these system down tighter.  My question is, how do I go about doing this with little impact to the user.  We don't really care if the users installs software on their own, etc.  We just want to limit users from connecting to other systems using the C$ share and browser other users files/folder.

My current thinking is, we remove the "Domain Users" group from the local administrators group by disabling the group policy for the entry.  Then manually add each user as a local administrator on their system.  Any new systems builds we do in the future we will just add the user to the local administrators group by themselves.

Your thoughts....
0
Comment
Question by:tnims
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 17

Expert Comment

by:jburgaard
ID: 39801116
Add the INTERACTIVE user to local administrators group.
Can be done with GPO.
0
 
LVL 56

Assisted Solution

by:McKnife
McKnife earned 2000 total points
ID: 39809024
Don't add any user there at all. I would only do it if these users use administrative rights on a daily basis.
Yes, removing the policy would remove the group, but you should make sure by using a startup script that removes it with the line
net localgroup /remove administrators domain-users
or by using restricted groups.
0
 

Accepted Solution

by:
tnims earned 0 total points
ID: 39815935
Here is how I added the specific username to their specific computer systems.

You'll need to download the following PS script:

http://gallery.technet.microsoft.com/scriptcenter/Add-AD-UserGroup-to-Local-fe5e9239

I created a csv file.  In the first column, I listed all the computer names I needed to run this script against.  In the second column, I listed the username associated with the specific computer in column one (these usernames will get added to the local Administrators group on the system).

in PowerShell, navigate to the directory where the csv file and ps1 is located (put both in the same directory) and use the following code:

Import-Csv -Path FileContainingYourComputernames/Usernames.csv | ForEach-Object {
   .\Set-ADAccountasLocalAdministrator.ps1 -Computer $_.computername -Trustee $_.username
}

________________

How I removed the Domain Users group from all my systems using PowerShell:

$strComputer = "hostname"
$username = "domain users"
$computer = [ADSI]("WinNT://" + $strComputer + ",computer")
$computer.name
$Group = $computer.psbase.children.find("administrators")
$Group.name
function ListAdministrators
{$members= $Group.psbase.invoke("Members") | %{$_.GetType().InvokeMember("Name", 'GetProperty', $null, $_, $null)}
$members}
ListAdministrators
$Group.Remove("WinNT://" + $domain + "/" + $username)
ListAdministrators
0
 

Author Closing Comment

by:tnims
ID: 39827465
Thanks McKnife! I only added the users assigned the laptop/desktop local administrators on their systems.

Removing the GPO that adds the Domain Users group to the local administrators group on the each systems does not remove the group from the local administrator group.  Scripts have to be ran against each system in order for this happen.
0

Featured Post

Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For anyone that has accidentally used newSID with Server 2008 R2 (like I did) and hasn't been able to get the server running again because you were unlucky (as I was) and had no backups - I was able to get things working by doing a Registry Hive rec…
This article shows how to use a free utility called 'Parkdale' to easily test the performance and benchmark any Hard Drive(s) installed in your computer. We also look at RAM Disks and their speed comparisons.
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
Want to learn how to record your desktop screen without having to use an outside camera. Click on this video and learn how to use the cool google extension called "Screencastify"! Step 1: Open a new google tab Step 2: Go to the left hand upper corn…

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question