Securing desktops, remove local admins and reset password

All of our domain users have local admin rights to their desktops. Removing them one by one can take a long time I am looking for a better solution that can be done at log on time or some sort of powershell script that I can run against a list of computers.

Secondly the account "administrator" has no password assigned to it. Though disabled it can possibly be enabled via safe mode so we are looking to re-anble the account set a password to this account as well similar to question 1 without having to do them one by one. These measure should have been taking into consideration at the time the systems were built but unfortunately they were not -- have to clean up the mess that was made by previous tech.

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.


To re-establish security after everything was quite the opposite is not really possible.  Think of backdoors being built in buy users that know a little more then the ordinance user...

But ok, this is how it would work: Use a gpo that works with restricted groups, this will remove admin membership.

About disabled admins: Cannot be enabled in safe mode since the machines are domain-joined, so no worries.

Also strongly recommended is to encrypt all computers. That is considered the very base of any secure network nowadays.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Alessandro ScafariaInfrastructure Premier Field AdministratorCommented:
Here we go with some powerful articles for you in order to perform what you want to do....

First 2 articles are related on allowing only certain domain users to the Local Admin group (very helpful).....

The 3rd is a best practice.....

The last one will help you with the Local Administrator user change password.

GPO to push out local administrators across a domain

How To Use Restricted Groups

Group Policies to apply for security

How To Automate Changing The Local Administrator Password
Feedback would be nice.
stlhostAuthor Commented:
McKnife you are right there isn't really any good way to backpedal this mess except to just go through them one by one and fix it. Restricted group is probably the best option if I need something immediately. Thanks
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 7

From novice to tech pro — start learning today.