Removing domain local groups from Wind XP local administrators group

O

Olu Daniels

I have 1200 Windows XP workstations on a newly migrated Windows 200 Active
Directory domain (Migrated from NT 4.0 to Win2K AD). We have about 70 domain
local groups that are member of local administrators group on different
Windows XP computers (running SP1). Different users belong to different
domain local groups. We have decided that we do not want this groups to be
member of the local admin groups on the Win XP anymore because we do not
want the users to have administrative privilege or be members of the local
administrator's group on the Win XP computers.



Is there a way to set this as a GPO on the domain controllers or a script
to add to the startup script that will automate this, instead of doing it
manually on each computer?



Thanks

OD
 
N

Norbert Fehlauer [MVP]

O

Olu Daniels

Thanks! I tried it in the lab...It works: Is there a way to force the policy
to take effect immediately on
all workstations without using the gpupdate at each workstations?

thanks!
 
N

Norbert Fehlauer [MVP]

Olu Daniels wrote:
Hi,
Thanks! I tried it in the lab...It works:

Glad to hear.
Is there a way to force the
policy to take effect immediately on
all workstations without using the gpupdate at each workstations?

AFAIK this only works on reboot. But if you try it in your lab with gpupdate
and it worked, than it should pick up the changes at the next background
refresh. Would be nice if you can give me the info what worked. ;)

Bye
Norbert
 
O

Olu Daniels

I used gpupdate in the lab on an XP workstation after createing trhe GPO and
applying it to domain computers domain group.
 
N

Norbert Fehlauer [MVP]

Olu said:
I used gpupdate in the lab on an XP workstation after createing trhe
GPO and applying it to domain computers domain group.

If a user is logged on that will make him not deny admin rights, as group
memberships are only read at logon afaik. So all your computers have to
rebooted to be sure no one is administrator. Don't lock yourself out. ;)


Bye
Norbert
 
O

Olu Daniels

Thanks! It works I rebooted one of the XPs ans voila it works. I guess I
have to wait for the users to reboot that may take a week or two.

thanks again.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top