Removing domain local groups from Wind XP local administrators gro

[Guest]

I have 1200 Windows XP workstations on a newly migrated Winodws 200 Active
Directory domain (Migrated from NT 4.0 to Win2K AD). We have about 70 domain
local groups that are member of local administrators group on different
Windows XP computers (running SP1). Different users belong to different
domain local groups. We have decided that we do not want this groups to be
member of the local admin groups on the Win XP anymore because we do not want
the users to have administrative priviledge or be members of the local
administrator's group on the Win XP computers.

Is there a way to set this as a GPO on the domain controllers or a script
to add to the startup script that will automate this, instead of doing it
manually on each computers?

Thanks!
OD

 

[Guest]

You can use the "Restricted Groups" in the security section of the GPO. You
simply add the groups/users that you only want as a member of the local
administrators group. As a warning about adding local users to restricted
groups, only add users with well-knowned SIDs (Administrator for example). If
you add a domain user to the group, it will propogate to all systems that
apply the GPO. In addition, any group/users that were added manually to the
workstation will be removed if that group/user is not included in the
Restricted Groups member list. A good configuration would be adding "Domain
Admins", Local Administrator, and a domain Support/Help Desk group to the
Administrators restricted members list.

 

[Jorge_de_Almeida_Pinto]

I have 1200 Windows XP workstations on a newly migrated
Winodws 200 Active
Directory domain (Migrated from NT 4.0 to Win2K AD). We have
about 70 domain
local groups that are member of local administrators group on
different
Windows XP computers (running SP1). Different users belong to
different
domain local groups. We have decided that we do not want this
groups to be
member of the local admin groups on the Win XP anymore because
we do not want
the users to have administrative priviledge or be members of
the local
administrator's group on the Win XP computers.

Is there a way to set this as a GPO on the domain controllers
or a script
to add to the startup script that will automate this, instead
of doing it
manually on each computers?

Thanks!
OD

Use the restricted groups feature in a GPO using the members option.
This way you define which groups/user are allowed to be a member of
the local administrators group. Each group/user that is not
specifically defined in the members option by you is kicked out of the
group

 

[Olu Daniels]

ThanksGuys. I tried it in the lab...It works, so just added it to the
production environment. Is there a way to force the policy to take effect on
all workstations without using the gpupdate at each workstations?