rivkamak
asked on
Best approach to restricting/removing a majority of Users from the Local Administrators Group.
Hi,
I need to remove the end users from the local administrators group on all workstations. For a select group of users, they would need to remain as local admins on their machine. I currently have 1 OU that holds all workstations.
I see that there are two ways of removing users from admin group. Either using restricted groups gpo or group policy preferences. I dont see much of a difference between the two approaches. In either case it would seem that I would have to create two separate OU's , one for computers that dont have end users in local admin group and the other would have computers not linked to any gpo of this type. Is this correct? What would be the best approach to this?
Thank you.
I need to remove the end users from the local administrators group on all workstations. For a select group of users, they would need to remain as local admins on their machine. I currently have 1 OU that holds all workstations.
I see that there are two ways of removing users from admin group. Either using restricted groups gpo or group policy preferences. I dont see much of a difference between the two approaches. In either case it would seem that I would have to create two separate OU's , one for computers that dont have end users in local admin group and the other would have computers not linked to any gpo of this type. Is this correct? What would be the best approach to this?
Thank you.
Essentially, you can use an AD group which allows all users within that group admin rights on the machine. Alternatively, you could use a powershell script to remove all users from the local admin apart from users whom need it.
Group Policy Preferences defines the exact list of members. It will add/remove members as necessary to match the list of members that you specify in the policy. I use it for defining local administrators, and by extension if you're not on the list of administrators, you will be removed.
You can use separate OU, or security filtering for the 2 different policies.
You can use separate OU, or security filtering for the 2 different policies.
First step is to get visibility on these admins. You can sync and manage these local admins using my process.
After this you can start enforcing group memberships so that no new users are added.
Finally you can start clearing the AD managed local admin group
Strategy to centrally manage Local Administrators group from Active Directory
https://www.experts-exchange.com/articles/29652/Strategy-to-centrally-manage-Local-Administrators-group-from-Active-Directory.html
After this you can start enforcing group memberships so that no new users are added.
Finally you can start clearing the AD managed local admin group
Strategy to centrally manage Local Administrators group from Active Directory
https://www.experts-exchange.com/articles/29652/Strategy-to-centrally-manage-Local-Administrators-group-from-Active-Directory.html
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you all.
Ben: What do you mean by Systems as opposed to computers?
Ben: What do you mean by Systems as opposed to computers?
Systems = Computer Objects
ASKER
Thank you Ben. It seemed that I had two local accounts in that Administrators group. One was Administrator, which I left in, and the other one was named admin which I left out. The admin account is the local admin account that the techs use. Is there a way of putting them back through group policy preferences? (I tried and its adding the domain account instead.
ASKER
Nevermind. I only made a change for a small amount of users so I manually added the local account back in.
Glad to help.
ASKER
Thank you all for your help.