How to remove certain domain users as local administrators on certain domain computers with group policy?

I have tried to create a GPO in S2K8 R2 which should`ve removed certain users as local administrators on all computers they have been granted administrator rights on. I´ve linked the GPO to Users OU and added them in the users in question to the security filtering window. For some reason this doesn´t work. What have I missed?
Lene ZachariassenAsked:
Who is Participating?
 
Will SzymkowskiSenior Solution ArchitectCommented:
If you are talking about Restricted Groups then you have applied the policy to the wrong OU. Restricted Groups is a computer based policy so it needs to be assigned to the OU where the computers reside.

Will.
0
 
Lene ZachariassenAuthor Commented:
I have now linked the policy to "machines" under the domain with the user names in question in the filtering, but the policy still doesn´t apply. Please see the attached report.
0
 
Lene ZachariassenAuthor Commented:
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
Will SzymkowskiSenior Solution ArchitectCommented:
You file does not have a file extension. Have you made sure that Security Filtering is set properly? If it is not set correctly policies will not apply.

Will
0
 
DonNetwork AdministratorCommented:
Also this policy wont apply until the clients are restarted.
0
 
David Johnson, CD, MVPOwnerCommented:
0
 
David Johnson, CD, MVPOwnerCommented:
a better policy is outlined on joseph moody's deployment happiness blog
http://deployhappiness.com/clever-way-manage-administrative-rights-regular-users/#more-8088

What it does is only have one local administrator on a machine at a time and it depends upon which user is logged in whether or not they have admin privileges

Start by creating two security groups in Active Directory named something like:
- Local Admin Computers
- Local Admin Users

Add the users needing administrative rights to the Local Admin Users group. Any computer that they need the permissions on should be added to the Local Admin Computers group. I prefer using two separate groups as I do not like to have multiple object types in the same security group..
Create a new GPO named Restricted Group: Additional Local Admins. Though we will be using Group Policy Preferences, I like keeping the GPO prefix the same as my other restricted groups GPOs. Under Security Filtering, add both groups that you created earlier. We will be using loopback for this GPO - both the user and computer will need permissions to apply the GPO. The GPO should be linked to a OU containing members of the Local Admin Computers security group.

Edit the GPO. If your computers do not already have loopback enabled, navigate to Computer Configuration/Policies/Administrative Templates/System/Group Policy. Enable Configure user Group Policy loopback processing mode and set the mode to Merge. Ensure that the GPO is processed when a member of Local Admin Users logs into a computer in the Local Admin Computers group.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.