Solved

Removing Domain Users from Local Administrators Group

Posted on 2014-01-22
4
6,121 Views
Last Modified: 2014-02-02
Back in the day when our company was pretty small, the previous IT Administrator created a policy that inserted the "Domain Users" group into the local administrators group onto everyone workstation.

Since our company has grown, we now want to start locking these system down tighter.  My question is, how do I go about doing this with little impact to the user.  We don't really care if the users installs software on their own, etc.  We just want to limit users from connecting to other systems using the C$ share and browser other users files/folder.

My current thinking is, we remove the "Domain Users" group from the local administrators group by disabling the group policy for the entry.  Then manually add each user as a local administrator on their system.  Any new systems builds we do in the future we will just add the user to the local administrators group by themselves.

Your thoughts....
0
Comment
Question by:tnims
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 17

Expert Comment

by:jburgaard
ID: 39801116
Add the INTERACTIVE user to local administrators group.
Can be done with GPO.
0
 
LVL 55

Assisted Solution

by:McKnife
McKnife earned 500 total points
ID: 39809024
Don't add any user there at all. I would only do it if these users use administrative rights on a daily basis.
Yes, removing the policy would remove the group, but you should make sure by using a startup script that removes it with the line
net localgroup /remove administrators domain-users
or by using restricted groups.
0
 

Accepted Solution

by:
tnims earned 0 total points
ID: 39815935
Here is how I added the specific username to their specific computer systems.

You'll need to download the following PS script:

http://gallery.technet.microsoft.com/scriptcenter/Add-AD-UserGroup-to-Local-fe5e9239

I created a csv file.  In the first column, I listed all the computer names I needed to run this script against.  In the second column, I listed the username associated with the specific computer in column one (these usernames will get added to the local Administrators group on the system).

in PowerShell, navigate to the directory where the csv file and ps1 is located (put both in the same directory) and use the following code:

Import-Csv -Path FileContainingYourComputernames/Usernames.csv | ForEach-Object {
   .\Set-ADAccountasLocalAdministrator.ps1 -Computer $_.computername -Trustee $_.username
}

________________

How I removed the Domain Users group from all my systems using PowerShell:

$strComputer = "hostname"
$username = "domain users"
$computer = [ADSI]("WinNT://" + $strComputer + ",computer")
$computer.name
$Group = $computer.psbase.children.find("administrators")
$Group.name
function ListAdministrators
{$members= $Group.psbase.invoke("Members") | %{$_.GetType().InvokeMember("Name", 'GetProperty', $null, $_, $null)}
$members}
ListAdministrators
$Group.Remove("WinNT://" + $domain + "/" + $username)
ListAdministrators
0
 

Author Closing Comment

by:tnims
ID: 39827465
Thanks McKnife! I only added the users assigned the laptop/desktop local administrators on their systems.

Removing the GPO that adds the Domain Users group to the local administrators group on the each systems does not remove the group from the local administrator group.  Scripts have to be ran against each system in order for this happen.
0

Featured Post

[Live Webinar] The Cloud Skills Gap

As Cloud technologies come of age, business leaders grapple with the impact it has on their team's skills and the gap associated with the use of a cloud platform.

Join experts from 451 Research and Concerto Cloud Services on July 27th where we will examine fact and fiction.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

An introduction to the wonderful sport of Scam Baiting.  Learn how to help fight scammers by beating them at their own game. This great pass time helps the world, while providing an endless source of entertainment. Enjoy!
In this post we will be converting StringData saved within a text file into a hash table. This can be further used in a PowerShell script for replacing settings that are dynamic in nature from environment to environment.
The viewer will learn how to successfully download and install the SARDU utility on Windows 7, without downloading adware.
In this video, viewers are given an introduction to using the Windows 10 Snipping Tool, how to quickly locate it when it's needed and also how make it always available with a single click of a mouse button, by pinning it to the Desktop Task Bar. Int…
Suggested Courses

627 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question