Re: remove local admin rights

thanks for your info - I finally did get the Restricted group to work -
I kind of struggle with the scripts.... :-)
--
Cindy B


"Lanwench [MVP - Exchange]" wrote:

Cindy B <benedett@xxxxxxxxxxxx> wrote:
Hi-
I have set up a policy to make all domain users Local Admins - I
apply this policy when we need to push out updates to the
workstations, so the users can install with their profile. It's been
great - saves us a lot of Hands on time.

Well - sure, but if you use WSUS and GP to distribute updates & software,
this shouldn't be something you need to do regularly. Users shouldn't
require admin rights.


Here's the problem... even though I remove the policy after a day or
2, I just realized that the setting stayed in place. All domain
users have remained in the local Admin group... THAT"S NOT what I
wanted. I thought when I removed the policy - it would remove them
from the Admin group.

Is there is way with a new GP to remove them from that Admin group?
HELP! Thanks for your time or sharing your knowledge!

I'm not sure of the exact answers to your questions, but thought I'd post
anyway, because instead of using restricted groups, here's what I do -

Set up AD groups called LocalAdmin, LocalPowerUser, to make this easier. You
can also create one for Remote Desktop access, too - in this case, RDaccess

The batch file would have this:
.........
net localgroup administrators DOMAIN\localadmin /add
net localgroup power users DOMAIN\localpoweruser /add
net localgroup remote desktop users DOMAIN\RDaccess /add

.........

You can create/link a new GPO at the appropriate OU where your computers
live (if you haven't created custom ones, you'll need to - unless you're
using SBS, which creates its own hierarchy).

Edit the GPO - go to Computer Configuration \ Windows Settings \ Scripts
(startup/shutdown)
Double-click Startup, click Add
Copy the batch file you created to the clipboard, then paste it in the
window here
Exit/apply/ok/finish whatever

All the computers in this OU should have the startup script applied when
they restart, and you can now control all this at the server. Add users or
groups to the AD "LocalAdmin" group and remove then when you wish.

Restricted groups are useful sometimes but I'm old fashioned and prefer the
granular control I get with this technique.



.

Relevant Pages

  • Re: remove local admin rights
    ... I have set up a policy to make all domain users Local Admins - I ... users have remained in the local Admin group... ... Double-click Startup, click Add ...
    (microsoft.public.windows.group_policy)
  • Re: How to make regular user a default admin for Computers underhisOU ?
    ... I redid the OU and groups from scratch and applied the "restriced groups" policy. ... And once they create and join their computers, they can do all the admin tasks fine. ... For changing the workstation name, for example, you must have domain admin rights or the group has to get delegated the right to change a workstation name, because it is a domain member. ... login as one of them I cannot do any Admin related tasks. ...
    (microsoft.public.windows.server.active_directory)
  • Re: BITS 2.0 Install Fails - Permission problem
    ... It sounds as though a domain policy is set that trumps your local policy. ... don't think that even a domain admin can override it by editing the local ... > And I get the same problem: Error Code: 8007F004 when installing the BITS ... >> Please verify that your account has the following required permissions. ...
    (microsoft.public.windowsupdate)
  • Re: Securing Enterprise Policy from local admins
    ... Admin is admin. ... but it is just the fact that a local admin on the box ... >>Enterprise Policy Administration ...
    (microsoft.public.dotnet.security)
  • Re: Stand-alone (non-networked) computer - restrict one account but not another
    ... you can edit the policy when logged in as an admin and then deny the admin read permissions on %windir%\system32\GroupPolicy. ... the local policy won't apply to them because they can't read it. ... The danger is then that the policy may apply while you're in the middle of editing and depending on the settings, the admin account may be restricted to a point where they can no longer function. ... I want to lock down the User account to disable stuff like the Control ...
    (microsoft.public.win2000.group_policy)