remove local admin right in 200 client computer

A

Alexander Brown

Dear all,

We are a middle-size company around 200 staffs. For improve the security
control, we are planning to remove all user local admin right in their
computer. Any logon script, group policy or registry can help us to remove
local admin right in our user computer?

Best regards,

Alexander
 
S

Steven L Umbach

You could use Group Policy Restricted Groups using "members of this group"
to enforce membership of the local administrators group. When applied only
the users/groups specified will be in the local administrators group on the
domain computers within the scope of the Group Policy and other users/groups
will be removed with the exception of the built in administrator account and
I suggest including domain admins also as member of the included groups. The
link below explains in detail how to use Restricted Groups and I suggest
that you create an Organizational Unit to configure it for and then move the
computer accounts you want to affect into that OU which can be a child OU of
an existing OU. I don't recommend using Restricted Groups at the domain
level as you run the risk of affecting domain controllers, etc if not done
correctly.

Steve

http://www.windowsecurity.com/articles/Using-Restricted-Groups.html ---
Restricted Groups
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Adding a group to local admin group 4
can not add myself into the local admin group. But am the Domain A 1
logon script won't run without local admin rights 3
Rename or Not to rename the Local Admin username...... 2
Admin right for station 9
Deny Interactive Logon but Allow Runas 9
Group Policy and User restrictions 5
Local admin rights not flowing through 5

Top