Remove Administrator Account from Administrators Group

We are in the process of creating a group policy that will limit user rights
on the desktop. A major element of our group policy is that it will push
down the local Administrators group, which will contain a domain group for
Network Administrators so that we will have administrator rights to all
machines. Currently, the local Administrator account is a member of the
Administrators group that is pushed down by the group policy. Our security
officer would like us to either remove the local Administrator account from
the group policy, or push it down under a different name. In other words,
if you were to logon to a PC that gets the group policy, and check the local
Administrators group, you would not see the local Administrator account
listed as a member, but you might see an account called something like
"SecureDesktop" that would be the local Administrator account under a
different name.

Given that you can't manually remove the local Administrator account from
the local Administrators group (you get a message akin to, "This action is
not allowed for built-in accounts"), I would say that what our security
officer is asking may not be possible. However, I am very new to group
policies and thought that I should seek some expert advice on whether or not
this can be achieved through a group policy.

Is there a way through a group policy to remove the local Administrator
account from the local Administrators group, or to push it down under a
different name?

--Tom


.

Relevant Pages

  • Re: Remove Administrator Account from Administrators Group
    ... A more security issue is to have random password. ... A major element of our group policy is that it will push down the local Administrators group, which will contain a domain group for Network Administrators so that we will have administrator rights to all machines. ... the local Administrator account is a member of the Administrators group that is pushed down by the group policy. ...
    (microsoft.public.windows.group_policy)
  • Re: Remove Administrator Account from Administrators Group
    ... He understands that renaming the local administrator account ... it's one additional measure that we can take and group policy makes it easy, ... to group policies and thought that I should seek some expert advice on ...
    (microsoft.public.windows.group_policy)
  • Re: Remove Administrator Account from Administrators Group
    ... rename the local Administrator account. ... A major element of our group policy is that it ... Currently, the local Administrator ... the local Administrator account from the group policy, or push it down ...
    (microsoft.public.windows.group_policy)
  • Re: Remove Administrator Account from Administrators Group
    ... A major element of our group policy is that it will push down the local Administrators group, which will contain a domain group for Network Administrators so that we will have administrator rights to all machines. ... the local Administrator account is a member of the Administrators group that is pushed down by the group policy. ... Our security officer would like us to either remove the local Administrator account from the group policy, or push it down under a different name. ...
    (microsoft.public.windows.group_policy)
  • Group Policy and restricting local administrators
    ... I am currently working on developing a group policy on a AD container ... I certain users to have virtually local administrator ... access to a series of servers, but there are a few things I do not want ... users inside of a container from be able to access the User Management ...
    (microsoft.public.windows.server.general)