How to remove Domain Users from Local Administrators Group

Through Group Policy, I want to remove the Domain Users account from the local Administrators group on all client machines. Is there an easy way to do this through Group Policy?

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Vaseem MohammedCommented:
I believe it has been added by Group policy, chk which policy is responsible for it.
By default its not member of local admins.
Peter HutchisonSenior Network Systems SpecialistCommented:
members of the local Administrators group is controlled by the 'Restricted Groups' item in Group Policy. Configuring this with a list users and and groups will overwrite any existing administrator group settings. The minimum required in Administrators is:

AD\Domain Admins

You can also add your own domain security group of approved users who can have load admin rights.
Hypercat (Deb)Commented:
Just to clarify what Peter Hutchinson said, it's not completely accurate.  You won't necessary overwrite all existing membership if done correctly.   So, if you want to just add a domain-based security group to the local administrators group, you can easily do this without removing the already existing members of the local administrators group.  Please refer to this article:

In order for the Domain Users group to be a member of the local administrators, someone must have already either gone to each workstation and added it manually or used a group policy to add it.  If there's a group policy and you find it, then deleting the Domain Users group from that policy should remove that group and leave the rest of the membership of the local administrators group untouched.
IT Pros Agree: AI and Machine Learning Key

We’d all like to think our company’s data is well protected, but when you ask IT professionals they admit the data probably is not as safe as it could be.

BuRinger7aAuthor Commented:
Our workstation policy did have Domain Users in the Restricted Groups. I removed Domain Users from Restricted Groups and after a few gpupdate /force and a few reboots, it did not remove Domain Users from the Administrators group.
BuRinger7aAuthor Commented:
I was able to remove Domain Users.

Under Computer Settings - Preferences - Control Panel - Local Users and Groups...I added a new group.
Action - Update
Group name -  Administrators (built-in)
Click Add
Type Domain Users and from the Action drop down menu choose Remove from this group

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Hypercat (Deb)Commented:
OK - interesting.  I had the exact same situation, but it was not with a built-in group like Domain Users.  I had created a separate group and then used that group to designate certain user(s) as local admins.  In my case, just removing the group from the policy worked fine.  So, it appears that the difference you ran into was at least partly due to the fact that the group policy for the Restricted Groups was set to use a built-in group.  Anyway, glad it worked out for you.
BuRinger7aAuthor Commented:
I was able to find a solution.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.