Solved

Removing Domain Users from Local Administrators Group

Posted on 2014-01-22
4
5,728 Views
Last Modified: 2014-02-02
Back in the day when our company was pretty small, the previous IT Administrator created a policy that inserted the "Domain Users" group into the local administrators group onto everyone workstation.

Since our company has grown, we now want to start locking these system down tighter.  My question is, how do I go about doing this with little impact to the user.  We don't really care if the users installs software on their own, etc.  We just want to limit users from connecting to other systems using the C$ share and browser other users files/folder.

My current thinking is, we remove the "Domain Users" group from the local administrators group by disabling the group policy for the entry.  Then manually add each user as a local administrator on their system.  Any new systems builds we do in the future we will just add the user to the local administrators group by themselves.

Your thoughts....
0
Comment
Question by:tnims
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 17

Expert Comment

by:jburgaard
ID: 39801116
Add the INTERACTIVE user to local administrators group.
Can be done with GPO.
0
 
LVL 54

Assisted Solution

by:McKnife
McKnife earned 500 total points
ID: 39809024
Don't add any user there at all. I would only do it if these users use administrative rights on a daily basis.
Yes, removing the policy would remove the group, but you should make sure by using a startup script that removes it with the line
net localgroup /remove administrators domain-users
or by using restricted groups.
0
 

Accepted Solution

by:
tnims earned 0 total points
ID: 39815935
Here is how I added the specific username to their specific computer systems.

You'll need to download the following PS script:

http://gallery.technet.microsoft.com/scriptcenter/Add-AD-UserGroup-to-Local-fe5e9239

I created a csv file.  In the first column, I listed all the computer names I needed to run this script against.  In the second column, I listed the username associated with the specific computer in column one (these usernames will get added to the local Administrators group on the system).

in PowerShell, navigate to the directory where the csv file and ps1 is located (put both in the same directory) and use the following code:

Import-Csv -Path FileContainingYourComputernames/Usernames.csv | ForEach-Object {
   .\Set-ADAccountasLocalAdministrator.ps1 -Computer $_.computername -Trustee $_.username
}

________________

How I removed the Domain Users group from all my systems using PowerShell:

$strComputer = "hostname"
$username = "domain users"
$computer = [ADSI]("WinNT://" + $strComputer + ",computer")
$computer.name
$Group = $computer.psbase.children.find("administrators")
$Group.name
function ListAdministrators
{$members= $Group.psbase.invoke("Members") | %{$_.GetType().InvokeMember("Name", 'GetProperty', $null, $_, $null)}
$members}
ListAdministrators
$Group.Remove("WinNT://" + $domain + "/" + $username)
ListAdministrators
0
 

Author Closing Comment

by:tnims
ID: 39827465
Thanks McKnife! I only added the users assigned the laptop/desktop local administrators on their systems.

Removing the GPO that adds the Domain Users group to the local administrators group on the each systems does not remove the group from the local administrator group.  Scripts have to be ran against each system in order for this happen.
0

Featured Post

Create the perfect environment for any meeting

You might have a modern environment with all sorts of high-tech equipment, but what makes it worthwhile is how you seamlessly bring together the presentation with audio, video and lighting. The ATEN Control System provides integrated control and system automation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, I will show you HOW TO: Perform a Physical to Virtual (P2V) Conversion the easy way from a computer backup (image).
How to record audio from input sources to your PC – connected devices, connected preamp to record vinyl discs, streaming media, that play through your audio card: Vista, Windows 7, Windows 8, Windows 8.1 and Windows 10 – both 32 bit & 64.
This Micro Tutorial will go in depth within Systems and Security in Windows 7 and will go into detail regarding Action Center, Windows Firewall, System, etc. This will be demonstrated using Windows 7 operating system.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

740 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question