How to remove Domain Users from Local Administrators Group

Through Group Policy, I want to remove the Domain Users account from the local Administrators group on all client machines. Is there an easy way to do this through Group Policy?

Who is Participating?
BuRinger7aAuthor Commented:
I was able to remove Domain Users.

Under Computer Settings - Preferences - Control Panel - Local Users and Groups...I added a new group.
Action - Update
Group name -  Administrators (built-in)
Click Add
Type Domain Users and from the Action drop down menu choose Remove from this group
Vaseem MohammedCommented:
I believe it has been added by Group policy, chk which policy is responsible for it.
By default its not member of local admins.
Peter HutchisonSenior Network Systems SpecialistCommented:
members of the local Administrators group is controlled by the 'Restricted Groups' item in Group Policy. Configuring this with a list users and and groups will overwrite any existing administrator group settings. The minimum required in Administrators is:

AD\Domain Admins

You can also add your own domain security group of approved users who can have load admin rights.
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

Hypercat (Deb)Commented:
Just to clarify what Peter Hutchinson said, it's not completely accurate.  You won't necessary overwrite all existing membership if done correctly.   So, if you want to just add a domain-based security group to the local administrators group, you can easily do this without removing the already existing members of the local administrators group.  Please refer to this article:

In order for the Domain Users group to be a member of the local administrators, someone must have already either gone to each workstation and added it manually or used a group policy to add it.  If there's a group policy and you find it, then deleting the Domain Users group from that policy should remove that group and leave the rest of the membership of the local administrators group untouched.
BuRinger7aAuthor Commented:
Our workstation policy did have Domain Users in the Restricted Groups. I removed Domain Users from Restricted Groups and after a few gpupdate /force and a few reboots, it did not remove Domain Users from the Administrators group.
Hypercat (Deb)Commented:
OK - interesting.  I had the exact same situation, but it was not with a built-in group like Domain Users.  I had created a separate group and then used that group to designate certain user(s) as local admins.  In my case, just removing the group from the policy worked fine.  So, it appears that the difference you ran into was at least partly due to the fact that the group policy for the Restricted Groups was set to use a built-in group.  Anyway, glad it worked out for you.
BuRinger7aAuthor Commented:
I was able to find a solution.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.