Lene Zachariassen
asked on
How to remove certain domain users as local administrators on certain domain computers with group policy?
I have tried to create a GPO in S2K8 R2 which should`ve removed certain users as local administrators on all computers they have been granted administrator rights on. I´ve linked the GPO to Users OU and added them in the users in question to the security filtering window. For some reason this doesn´t work. What have I missed?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You file does not have a file extension. Have you made sure that Security Filtering is set properly? If it is not set correctly policies will not apply.
Will
Will
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
a better policy is outlined on joseph moody's deployment happiness blog
http://deployhappiness.com/clever-way-manage-administrative-rights-regular-users/#more-8088
What it does is only have one local administrator on a machine at a time and it depends upon which user is logged in whether or not they have admin privileges
http://deployhappiness.com/clever-way-manage-administrative-rights-regular-users/#more-8088
What it does is only have one local administrator on a machine at a time and it depends upon which user is logged in whether or not they have admin privileges
Start by creating two security groups in Active Directory named something like:
- Local Admin Computers
- Local Admin Users
Add the users needing administrative rights to the Local Admin Users group. Any computer that they need the permissions on should be added to the Local Admin Computers group. I prefer using two separate groups as I do not like to have multiple object types in the same security group..
Create a new GPO named Restricted Group: Additional Local Admins. Though we will be using Group Policy Preferences, I like keeping the GPO prefix the same as my other restricted groups GPOs. Under Security Filtering, add both groups that you created earlier. We will be using loopback for this GPO - both the user and computer will need permissions to apply the GPO. The GPO should be linked to a OU containing members of the Local Admin Computers security group.
Edit the GPO. If your computers do not already have loopback enabled, navigate to Computer Configuration/Policies/Administrativ e Templates/System/Group Policy. Enable Configure user Group Policy loopback processing mode and set the mode to Merge. Ensure that the GPO is processed when a member of Local Admin Users logs into a computer in the Local Admin Computers group.
ASKER