How to remove certain domain users as local administrators on certain domain computers with group policy?

I have tried to create a GPO in S2K8 R2 which should`ve removed certain users as local administrators on all computers they have been granted administrator rights on. I´ve linked the GPO to Users OU and added them in the users in question to the security filtering window. For some reason this doesn´t work. What have I missed?
Lene ZachariassenAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Will SzymkowskiSenior Solution ArchitectCommented:
If you are talking about Restricted Groups then you have applied the policy to the wrong OU. Restricted Groups is a computer based policy so it needs to be assigned to the OU where the computers reside.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Lene ZachariassenAuthor Commented:
I have now linked the policy to "machines" under the domain with the user names in question in the filtering, but the policy still doesn´t apply. Please see the attached report.
Lene ZachariassenAuthor Commented:
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Will SzymkowskiSenior Solution ArchitectCommented:
You file does not have a file extension. Have you made sure that Security Filtering is set properly? If it is not set correctly policies will not apply.

DonNetwork AdministratorCommented:
Also this policy wont apply until the clients are restarted.
David Johnson, CD, MVPOwnerCommented:
David Johnson, CD, MVPOwnerCommented:
a better policy is outlined on joseph moody's deployment happiness blog

What it does is only have one local administrator on a machine at a time and it depends upon which user is logged in whether or not they have admin privileges

Start by creating two security groups in Active Directory named something like:
- Local Admin Computers
- Local Admin Users

Add the users needing administrative rights to the Local Admin Users group. Any computer that they need the permissions on should be added to the Local Admin Computers group. I prefer using two separate groups as I do not like to have multiple object types in the same security group..
Create a new GPO named Restricted Group: Additional Local Admins. Though we will be using Group Policy Preferences, I like keeping the GPO prefix the same as my other restricted groups GPOs. Under Security Filtering, add both groups that you created earlier. We will be using loopback for this GPO - both the user and computer will need permissions to apply the GPO. The GPO should be linked to a OU containing members of the Local Admin Computers security group.

Edit the GPO. If your computers do not already have loopback enabled, navigate to Computer Configuration/Policies/Administrative Templates/System/Group Policy. Enable Configure user Group Policy loopback processing mode and set the mode to Merge. Ensure that the GPO is processed when a member of Local Admin Users logs into a computer in the Local Admin Computers group.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.