• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 6910
  • Last Modified:

Removing Domain Users from Local Administrators Group

Back in the day when our company was pretty small, the previous IT Administrator created a policy that inserted the "Domain Users" group into the local administrators group onto everyone workstation.

Since our company has grown, we now want to start locking these system down tighter.  My question is, how do I go about doing this with little impact to the user.  We don't really care if the users installs software on their own, etc.  We just want to limit users from connecting to other systems using the C$ share and browser other users files/folder.

My current thinking is, we remove the "Domain Users" group from the local administrators group by disabling the group policy for the entry.  Then manually add each user as a local administrator on their system.  Any new systems builds we do in the future we will just add the user to the local administrators group by themselves.

Your thoughts....
0
tnims
Asked:
tnims
  • 2
2 Solutions
 
jburgaardCommented:
Add the INTERACTIVE user to local administrators group.
Can be done with GPO.
0
 
McKnifeCommented:
Don't add any user there at all. I would only do it if these users use administrative rights on a daily basis.
Yes, removing the policy would remove the group, but you should make sure by using a startup script that removes it with the line
net localgroup /remove administrators domain-users
or by using restricted groups.
0
 
tnimsAuthor Commented:
Here is how I added the specific username to their specific computer systems.

You'll need to download the following PS script:

http://gallery.technet.microsoft.com/scriptcenter/Add-AD-UserGroup-to-Local-fe5e9239

I created a csv file.  In the first column, I listed all the computer names I needed to run this script against.  In the second column, I listed the username associated with the specific computer in column one (these usernames will get added to the local Administrators group on the system).

in PowerShell, navigate to the directory where the csv file and ps1 is located (put both in the same directory) and use the following code:

Import-Csv -Path FileContainingYourComputernames/Usernames.csv | ForEach-Object {
   .\Set-ADAccountasLocalAdministrator.ps1 -Computer $_.computername -Trustee $_.username
}

________________

How I removed the Domain Users group from all my systems using PowerShell:

$strComputer = "hostname"
$username = "domain users"
$computer = [ADSI]("WinNT://" + $strComputer + ",computer")
$computer.name
$Group = $computer.psbase.children.find("administrators")
$Group.name
function ListAdministrators
{$members= $Group.psbase.invoke("Members") | %{$_.GetType().InvokeMember("Name", 'GetProperty', $null, $_, $null)}
$members}
ListAdministrators
$Group.Remove("WinNT://" + $domain + "/" + $username)
ListAdministrators
0
 
tnimsAuthor Commented:
Thanks McKnife! I only added the users assigned the laptop/desktop local administrators on their systems.

Removing the GPO that adds the Domain Users group to the local administrators group on the each systems does not remove the group from the local administrator group.  Scripts have to be ran against each system in order for this happen.
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now