Add\Remove Users & Groups using GPO

Yes, computer configuration, security settings, restricted groups.
There are two modes one removes U authored users, group accounts the other adds specified account to a group.
In your case

Double check and make sure you know what the current local administrators group have and purpose.
Builtin\administrators will to start with include domain admin's, enterprise admin's, local_admin

The add bottom section
Builtin\administrators add local_admin,

Test to make sure it works, you may want to apply this GPO to OUs where workstations are.

You can test test this GPO, by adding an unauthorized account into the local administrators group on a system then after the repo refresh 30-90 minutes, see if the account was kicked out.

Shaun vernak has an article/tool that centrally from a script manages local administrator accounts that might help you not run into issues following the deployment of this GPO.
I.e. Remove an account .......locking out the user ....

Hi,

Make sure you test this on a signle machine first but this should do it for you: https://www.syspanda.com/index.php/2017/03/30/critical-security-control-5-removing-local-administrators-once-and-for-all/

Let me know how it goes :)

You can do it with restricted groups or GPO local user and group preferences
https://www.experts-exchange.com/articles/29596/Securing-Active-Directory-Administrators-Groups.html

remove Domain Admins, & Enterprise Admins from local admin group

I believe your approach is wrong, DA and EA can always find a way to get administrative rights.
If you feel the need to remove DA an EA it seems to me you overpopulated your domain admins etc, groups. You can also follow the above article to get those members out.

Shaun the reason we're attempting to make these changes is to comply with the Win 10 DISA Stig.

Rule Title: The Deny Log on through RDP & Deny log on locally user right on workstations must at a minimum be configured to percent access from highly privileged domain accounts & local accounts.