Link to home
Start Free TrialLog in
Avatar of Lene Zachariassen
Lene Zachariassen

asked on

How to remove certain domain users as local administrators on certain domain computers with group policy?

I have tried to create a GPO in S2K8 R2 which should`ve removed certain users as local administrators on all computers they have been granted administrator rights on. I´ve linked the GPO to Users OU and added them in the users in question to the security filtering window. For some reason this doesn´t work. What have I missed?
ASKER CERTIFIED SOLUTION
Avatar of Will Szymkowski
Will Szymkowski
Flag of Canada image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Lene Zachariassen
Lene Zachariassen

ASKER

I have now linked the policy to "machines" under the domain with the user names in question in the filtering, but the policy still doesn´t apply. Please see the attached report.
Avatar of Will Szymkowski
Will Szymkowski
Flag of Canada image
You file does not have a file extension. Have you made sure that Security Filtering is set properly? If it is not set correctly policies will not apply.

Will
SOLUTION
Avatar of Don
Don
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of David Johnson, CD
David Johnson, CD
Flag of Canada image
a better policy is outlined on joseph moody's deployment happiness blog
http://deployhappiness.com/clever-way-manage-administrative-rights-regular-users/#more-8088

What it does is only have one local administrator on a machine at a time and it depends upon which user is logged in whether or not they have admin privileges

Start by creating two security groups in Active Directory named something like:
- Local Admin Computers
- Local Admin Users

Add the users needing administrative rights to the Local Admin Users group. Any computer that they need the permissions on should be added to the Local Admin Computers group. I prefer using two separate groups as I do not like to have multiple object types in the same security group..
Create a new GPO named Restricted Group: Additional Local Admins. Though we will be using Group Policy Preferences, I like keeping the GPO prefix the same as my other restricted groups GPOs. Under Security Filtering, add both groups that you created earlier. We will be using loopback for this GPO - both the user and computer will need permissions to apply the GPO. The GPO should be linked to a OU containing members of the Local Admin Computers security group.

Edit the GPO. If your computers do not already have loopback enabled, navigate to Computer Configuration/Policies/Administrative Templates/System/Group Policy. Enable Configure user Group Policy loopback processing mode and set the mode to Merge. Ensure that the GPO is processed when a member of Local Admin Users logs into a computer in the Local Admin Computers group.