Back in the day when our company was pretty small, the previous IT Administrator created a policy that inserted the "Domain Users" group into the local administrators group onto everyone workstation.
Since our company has grown, we now want to start locking these system down tighter. My question is, how do I go about doing this with little impact to the user. We don't really care if the users installs software on their own, etc. We just want to limit users from connecting to other systems using the C$ share and browser other users files/folder.
My current thinking is, we remove the "Domain Users" group from the local administrators group by disabling the group policy for the entry. Then manually add each user as a local administrator on their system. Any new systems builds we do in the future we will just add the user to the local administrators group by themselves.