Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Removing Domain Users from Local Administrators Group

Posted on 2014-01-22
4
Medium Priority
?
6,633 Views
Last Modified: 2014-02-02
Back in the day when our company was pretty small, the previous IT Administrator created a policy that inserted the "Domain Users" group into the local administrators group onto everyone workstation.

Since our company has grown, we now want to start locking these system down tighter.  My question is, how do I go about doing this with little impact to the user.  We don't really care if the users installs software on their own, etc.  We just want to limit users from connecting to other systems using the C$ share and browser other users files/folder.

My current thinking is, we remove the "Domain Users" group from the local administrators group by disabling the group policy for the entry.  Then manually add each user as a local administrator on their system.  Any new systems builds we do in the future we will just add the user to the local administrators group by themselves.

Your thoughts....
0
Comment
Question by:tnims
  • 2
4 Comments
 
LVL 17

Expert Comment

by:jburgaard
ID: 39801116
Add the INTERACTIVE user to local administrators group.
Can be done with GPO.
0
 
LVL 57

Assisted Solution

by:McKnife
McKnife earned 2000 total points
ID: 39809024
Don't add any user there at all. I would only do it if these users use administrative rights on a daily basis.
Yes, removing the policy would remove the group, but you should make sure by using a startup script that removes it with the line
net localgroup /remove administrators domain-users
or by using restricted groups.
0
 

Accepted Solution

by:
tnims earned 0 total points
ID: 39815935
Here is how I added the specific username to their specific computer systems.

You'll need to download the following PS script:

http://gallery.technet.microsoft.com/scriptcenter/Add-AD-UserGroup-to-Local-fe5e9239

I created a csv file.  In the first column, I listed all the computer names I needed to run this script against.  In the second column, I listed the username associated with the specific computer in column one (these usernames will get added to the local Administrators group on the system).

in PowerShell, navigate to the directory where the csv file and ps1 is located (put both in the same directory) and use the following code:

Import-Csv -Path FileContainingYourComputernames/Usernames.csv | ForEach-Object {
   .\Set-ADAccountasLocalAdministrator.ps1 -Computer $_.computername -Trustee $_.username
}

________________

How I removed the Domain Users group from all my systems using PowerShell:

$strComputer = "hostname"
$username = "domain users"
$computer = [ADSI]("WinNT://" + $strComputer + ",computer")
$computer.name
$Group = $computer.psbase.children.find("administrators")
$Group.name
function ListAdministrators
{$members= $Group.psbase.invoke("Members") | %{$_.GetType().InvokeMember("Name", 'GetProperty', $null, $_, $null)}
$members}
ListAdministrators
$Group.Remove("WinNT://" + $domain + "/" + $username)
ListAdministrators
0
 

Author Closing Comment

by:tnims
ID: 39827465
Thanks McKnife! I only added the users assigned the laptop/desktop local administrators on their systems.

Removing the GPO that adds the Domain Users group to the local administrators group on the each systems does not remove the group from the local administrator group.  Scripts have to be ran against each system in order for this happen.
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ever visit a website where you spotted a really cool looking Font, yet couldn't figure out which font family it belonged to, or how to get a copy of it for your own use? This article explains the process of doing exactly that, as well as showing how…
Sometimes clients can lose connectivity with the Lotus Notes Domino Server, but there's not always an obvious answer as to why it happens.   Read this article to follow one of the first experiences I had with Lotus Notes on a client's machine, my…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
In this video, viewers are given an introduction to using the Windows 10 Snipping Tool, how to quickly locate it when it's needed and also how make it always available with a single click of a mouse button, by pinning it to the Desktop Task Bar. Int…

885 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question