Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Remove users as local admin 1

Status
Not open for further replies.
withanh

withanh

IS-IT--Management
Dec 17, 2008
221
US
We recently got a new VP of IT and he wants us to remove the local admin rights of all our users. Unfortunately 75% of our users are field based and I can't get my hands on them easily.

I'm hoping there's a way to remove the users from the Local Administrators group via Group Policy, I'd even take a VB script if that would do it.

My domain is 2008 R2 and 99% of my workstations/laptops are XP Sp3.

Thanks if anyone can help.

Darhl

 
Sort by date Sort by votes
Yes, I saw restricted groups, but from what I can tell and from my testing that's more for adding users to the local admins group than for removing people from the local admins group.

My issue is all my remote/laptop users are already set as a local admin, I need to remove them from the local admins group.
 
Upvote 0 Downvote
I guess it's fair to mention that I was able to use Restricted Groups to add a user to the local admin's group, then I was able to remove that user from the local admin's group.

However, I have not been able to use it to remove an already existing user from the local admin's group.

Darhl
 
Upvote 0 Downvote
A Restricted Groups policy will wipe the contents of the target group and populate it with the list in the GPO. If you aren't seeing this behavior, then you haven't configured it correctly.

PSC
[—] CCNP [•] CCSP [•] MCITP: Enterprise Admin [•] MCSE [—]

Governments and corporations need people like you and me. We are samurai. The keyboard cowboys. And all those other people out there who have no idea what's going on are the cattle. Mooo! --Mr. The Plague, from the movie "Hackers
 
Upvote 0 Downvote
Evidently I was having a dense moment (or two). The documentation I was reading said to create a domain group then use Restricted Groups to add/remove membership in that group.

I stumbled across another article that said to not create a new group, but to just put in the name of the existing group you're configuring. i.e. DOMAIN\Group, it struck me that if I omitted the DOMAIN\ it might configure the local group. I tried that and it worked.

Darhl
 
Upvote 0 Downvote
No... Don't browse for the group name. Simply type Administrators, then type the names of the members starting with Administrator and <Domain>\Domain Admins.

The system will do name resolution at the time the group policy is applied. The SIDs are not stored with this particular policy.

PSC
[&mdash;] CCNP [&bull;] CCSP [&bull;] MCITP: Enterprise Admin [&bull;] MCSE [&mdash;]

Governments and corporations need people like you and me. We are samurai. The keyboard cowboys. And all those other people out there who have no idea what's going on are the cattle. Mooo! --Mr. The Plague, from the movie "Hackers
 
Upvote 0 Downvote
Thanks PScottC, I appreciate the clarification on that!

Darhl
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

MattM1975
  • Locked
  • Question
Domain Admin Logon 1
Replies
2
Views
199
ADB100
ADB100
tscstl
  • Locked
  • Question
access to local folder
Replies
1
Views
209
hairlessupportmonkey
hairlessupportmonkey
goombawaho
  • Locked
  • Question
Microsoft Azure Active Directory - Backup Admin Account 1
Replies
2
Views
710
goombawaho
goombawaho
shmoes
  • Locked
  • Question
Delegating file admin permission
Replies
3
Views
150
SamBones
SamBones
tviman
  • Locked
  • Question
How to restrict RDP users to the desktop 2
Replies
13
Views
331
strongm
strongm

Part and Inventory Search

Sponsor

Back
Top