Link to home
Start Free TrialLog in
Avatar of tnims
tnims

asked on

Removing Domain Users from Local Administrators Group

Back in the day when our company was pretty small, the previous IT Administrator created a policy that inserted the "Domain Users" group into the local administrators group onto everyone workstation.

Since our company has grown, we now want to start locking these system down tighter.  My question is, how do I go about doing this with little impact to the user.  We don't really care if the users installs software on their own, etc.  We just want to limit users from connecting to other systems using the C$ share and browser other users files/folder.

My current thinking is, we remove the "Domain Users" group from the local administrators group by disabling the group policy for the entry.  Then manually add each user as a local administrator on their system.  Any new systems builds we do in the future we will just add the user to the local administrators group by themselves.

Your thoughts....
Avatar of jburgaard
jburgaard

Add the INTERACTIVE user to local administrators group.
Can be done with GPO.
SOLUTION
Avatar of McKnife
McKnife
Flag of Germany image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of tnims

ASKER

Thanks McKnife! I only added the users assigned the laptop/desktop local administrators on their systems.

Removing the GPO that adds the Domain Users group to the local administrators group on the each systems does not remove the group from the local administrator group.  Scripts have to be ran against each system in order for this happen.