?
Solved

Group Policy, Server 2012: Remove local Administrator users on Workstations, not Servers

Posted on 2016-08-23
3
Medium Priority
?
78 Views
Last Modified: 2016-08-23
Good Afternoon,

We are currently in the midst of a "Security Shake Up" at my company.

We wish to remove all Users from the Local Administrator group on all User Workstations throughout the company, excepting a few Admin users. While I know we can do this through User Configuration > Preferences > Control Panel Settings > Local Users and Groups, we are NOT wanting these Group Policy settings to affect the local Administrator group on the Servers.

I am curious if there is a way to set a Group Policy that will remove all users from a machines local Administrator group on Workstations, but not on the Servers. User systems have Windows 7, Windows 8.1, and Windows 10 64-Bit installed. We already have all User systems sorted into an OU, and Servers in a separate OU, in AD, if that helps.

Thanks in advance!
0
Comment
Question by:Woodrax
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 16

Accepted Solution

by:
FOX earned 2000 total points
ID: 41767531
Use group policy preferences.  You will remove all the local admins on the workstations and set the new local admins.  Point the gpp to the OU with your workstations.

ref link: http://www.grouppolicy.biz/2010/01/how-to-use-group-policy-preferences-to-secure-local-administrator-groups/
0
 

Author Closing Comment

by:Woodrax
ID: 41767639
Guess it has been too long since I enacted new Group Policy. Forgot how easy Group Policy Management makes it to link to existing OU structure. Thanks!
0
 
LVL 16

Expert Comment

by:FOX
ID: 41767643
Good work
0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Here's a look at newsworthy articles and community happenings during the last month.
Wouldn't it be nice if objects in Active Directory automatically moved into the correct Organizational Units? This is what AutoAD aims to do and as a plus, it automatically creates Sites, Subnets, and Organizational Units.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question