We help IT Professionals succeed at work.

How to remove certain domain users as local administrators on certain domain computers with group policy?

I have tried to create a GPO in S2K8 R2 which should`ve removed certain users as local administrators on all computers they have been granted administrator rights on. I´ve linked the GPO to Users OU and added them in the users in question to the security filtering window. For some reason this doesn´t work. What have I missed?
Comment
Watch Question

Senior Solution Architect
Most Valuable Expert 2015
Top Expert 2015
Commented:
If you are talking about Restricted Groups then you have applied the policy to the wrong OU. Restricted Groups is a computer based policy so it needs to be assigned to the OU where the computers reside.

Will.

Author

Commented:
I have now linked the policy to "machines" under the domain with the user names in question in the filtering, but the policy still doesn´t apply. Please see the attached report.
Will SzymkowskiSenior Solution Architect
Most Valuable Expert 2015
Top Expert 2015

Commented:
You file does not have a file extension. Have you made sure that Security Filtering is set properly? If it is not set correctly policies will not apply.

Will
DonNetwork Administrator
Commented:
Also this policy wont apply until the clients are restarted.
Distinguished Expert 2019

Commented:
Distinguished Expert 2019

Commented:
a better policy is outlined on joseph moody's deployment happiness blog
http://deployhappiness.com/clever-way-manage-administrative-rights-regular-users/#more-8088

What it does is only have one local administrator on a machine at a time and it depends upon which user is logged in whether or not they have admin privileges

Start by creating two security groups in Active Directory named something like:
- Local Admin Computers
- Local Admin Users

Add the users needing administrative rights to the Local Admin Users group. Any computer that they need the permissions on should be added to the Local Admin Computers group. I prefer using two separate groups as I do not like to have multiple object types in the same security group..
Create a new GPO named Restricted Group: Additional Local Admins. Though we will be using Group Policy Preferences, I like keeping the GPO prefix the same as my other restricted groups GPOs. Under Security Filtering, add both groups that you created earlier. We will be using loopback for this GPO - both the user and computer will need permissions to apply the GPO. The GPO should be linked to a OU containing members of the Local Admin Computers security group.

Edit the GPO. If your computers do not already have loopback enabled, navigate to Computer Configuration/Policies/Administrative Templates/System/Group Policy. Enable Configure user Group Policy loopback processing mode and set the mode to Merge. Ensure that the GPO is processed when a member of Local Admin Users logs into a computer in the Local Admin Computers group.