Securing desktops, remove local admins and reset password

All of our domain users have local admin rights to their desktops. Removing them one by one can take a long time I am looking for a better solution that can be done at log on time or some sort of powershell script that I can run against a list of computers.

Secondly the account "administrator" has no password assigned to it. Though disabled it can possibly be enabled via safe mode so we are looking to re-anble the account set a password to this account as well similar to question 1 without having to do them one by one. These measure should have been taking into consideration at the time the systems were built but unfortunately they were not -- have to clean up the mess that was made by previous tech.

Thanks
LVL 2
stlhostAsked:
Who is Participating?
 
McKnifeCommented:
Hi.

To re-establish security after everything was quite the opposite is not really possible.  Think of backdoors being built in buy users that know a little more then the ordinance user...

But ok, this is how it would work: Use a gpo that works with restricted groups, this will remove admin membership.

About disabled admins: Cannot be enabled in safe mode since the machines are domain-joined, so no worries.

Also strongly recommended is to encrypt all computers. That is considered the very base of any secure network nowadays.
0
 
Alessandro ScafariaInfrastructure Premier Field AdministratorCommented:
Here we go with some powerful articles for you in order to perform what you want to do....

First 2 articles are related on allowing only certain domain users to the Local Admin group (very helpful).....

The 3rd is a best practice.....

The last one will help you with the Local Administrator user change password.

GPO to push out local administrators across a domain

How To Use Restricted Groups

Group Policies to apply for security

How To Automate Changing The Local Administrator Password
0
 
McKnifeCommented:
Feedback would be nice.
0
 
stlhostAuthor Commented:
McKnife you are right there isn't really any good way to backpedal this mess except to just go through them one by one and fix it. Restricted group is probably the best option if I need something immediately. Thanks
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.