Removing local users from local administrator group

A

Apollo

Hi,
I am rolling out a GPO with software restriction settings, this all works as
intended.

However, if the user log's in locally they can avoid the GPO and
run/install/amend any software they like as traditionally all users were set
up with a local user account that was added to the machines local
administrators group.

So, how can I bulk remove users from the local administrators group and
reset the local administrator password? thanks.....

Apollo
 
K

Ken Zhao [MSFT]

Hello Apollo,

Thank you for using newsgroup!

From your post, for your first question you want bulk remove users from
local administrators group, you may try the following steps:
1. Create an OU including all user accounts you want to move from local
administrators group.
2. Use Restricted Groups group policy to define the following two
properties for security-sensitive (restricted) groups:
1) Members
2) Member Of
3. Apply Restricted Groups group policy to this OU.

For more related configuration information, please refer to the following
articles:
279301: Description of Group Policy Restricted Groups
http://support.microsoft.com/kb/279301/en-us

228496: HOW TO: Use Restricted Groups in Windows 2000
http://support.microsoft.com/kb/228496/en-us

810076: Updates to Restricted Groups ("Member of") behavior of user-defined
local groups
http://support.microsoft.com/kb/810076/en-us

For your second question, to bulk reset local administrator passwords, you
have to use script to do this job.
272530: How to Use the Cusrmgr.exe Tool to Change Administrator Account
Password on Multiple Computers
http://support.microsoft.com/kb/272530/en-us

Thanks & Regards,

Ken Zhao

Microsoft Online Support
Microsoft Global Technical Support Center

Get Secure! - www.microsoft.com/security <http://www.microsoft.com/security>
====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.




--------------------
| From: "Apollo" <[email protected]>
| Subject: Removing local users from local administrator group
| Date: Fri, 30 Nov 2007 07:13:40 -0000
| Lines: 15
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.3790.3959
| X-RFC2646: Format=Flowed; Original
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198
| Message-ID: <#[email protected]>
| Newsgroups: microsoft.public.win2000.group_policy
| NNTP-Posting-Host: host81-149-235-51.in-addr.btopenworld.com 81.149.235.51
| Path: TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP02.phx.gbl
| Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.win2000.group_policy:1035
| X-Tomcat-NG: microsoft.public.win2000.group_policy
|
| Hi,
| I am rolling out a GPO with software restriction settings, this all works
as
| intended.
|
| However, if the user log's in locally they can avoid the GPO and
| run/install/amend any software they like as traditionally all users were
set
| up with a local user account that was added to the machines local
| administrators group.
|
| So, how can I bulk remove users from the local administrators group and
| reset the local administrator password? thanks.....
|
| Apollo
|
|
|
 
M

Mark Heitbrink [MVP]

Hi,
[Restricted Groups]
1. Create an OU including all user accounts you want to move from local
administrators group.
Click to expand...

.... just to get a nice and sorted overview :)
But you need to apply the GPO to all the computer accounts, that should be
reseted. So Step 1a.)
- create a OU and move all the computers to it ...
- link and create the GPO on this OU
- use restricted groups

Mark
 
K

Ken Zhao [MSFT]

Thanks Mark!

Thanks & Regards,

Ken Zhao

Microsoft Online Support
Microsoft Global Technical Support Center

Get Secure! - www.microsoft.com/security <http://www.microsoft.com/security>
====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.




--------------------
| Date: Fri, 30 Nov 2007 10:31:31 +0100
| From: "Mark Heitbrink [MVP]" <[email protected]>
| User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.8.0.5)
Gecko/20060719 Thunderbird/1.5.0.5 Mnenhy/0.7.4.0
| MIME-Version: 1.0
| Subject: Re: Removing local users from local administrator group
| References: <#[email protected]>
<[email protected]>
| In-Reply-To: <[email protected]>
| Content-Type: text/plain; charset=ISO-8859-1
| Content-Transfer-Encoding: 7bit
| Message-ID: <[email protected]>
| Newsgroups: microsoft.public.win2000.group_policy
| NNTP-Posting-Host: connect.cs-result.de 213.23.59.30
| Lines: 1
| Path: TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP03.phx.gbl
| Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.win2000.group_policy:1037
| X-Tomcat-NG: microsoft.public.win2000.group_policy
|
| Hi,
|
| Ken Zhao [MSFT] schrieb:
| > [Restricted Groups]
| > 1. Create an OU including all user accounts you want to move from local
| > administrators group.
|
| ... just to get a nice and sorted overview :)
| But you need to apply the GPO to all the computer accounts, that should be
| reseted. So Step 1a.)
| - create a OU and move all the computers to it ...
| - link and create the GPO on this OU
| - use restricted groups
|
| Mark
| --
| Mark Heitbrink - MVP Windows Server - Group Policy
|
| Homepage: www.gruppenrichtlinien.de - deutsch
| Blog: gpupdate.spaces.live.com - english
|
 
K

Ken Zhao [MSFT]

Hi,

I am just writing to see how everything is going. If you have any updates
or need any further assistance on this issue, please feel free to let me
know.

Thanks & Regards,

Ken Zhao

Microsoft Online Support
Microsoft Global Technical Support Center

Get Secure! - www.microsoft.com/security <http://www.microsoft.com/security>
====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.




--------------------
| X-Tomcat-ID: 66558353
| References: <#[email protected]>
<[email protected]>
<[email protected]>
| MIME-Version: 1.0
| Content-Type: text/plain
| Content-Transfer-Encoding: 7bit
| From: (e-mail address removed) ("Ken Zhao [MSFT]")
| Organization: Microsoft
| Date: Mon, 03 Dec 2007 07:50:45 GMT
| Subject: Re: Removing local users from local administrator group
| X-Tomcat-NG: microsoft.public.win2000.group_policy
| Message-ID: <[email protected]>
| Newsgroups: microsoft.public.win2000.group_policy
| Lines: 54
| Path: TK2MSFTNGHUB02.phx.gbl
| Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.win2000.group_policy:1039
| NNTP-Posting-Host: TOMCATIMPORT1 10.201.218.122
|
| Thanks Mark!
|
| Thanks & Regards,
|
| Ken Zhao
|
| Microsoft Online Support
| Microsoft Global Technical Support Center
|
| Get Secure! - www.microsoft.com/security
<http://www.microsoft.com/security>
| ====================================================
| When responding to posts, please "Reply to Group" via your newsreader so
| that others may learn and benefit from your issue.
| ====================================================
| This posting is provided "AS IS" with no warranties, and confers no
rights.
|
|
|
|
| --------------------
| | Date: Fri, 30 Nov 2007 10:31:31 +0100
| | From: "Mark Heitbrink [MVP]" <[email protected]>
| | User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.8.0.5)
| Gecko/20060719 Thunderbird/1.5.0.5 Mnenhy/0.7.4.0
| | MIME-Version: 1.0
| | Subject: Re: Removing local users from local administrator group
| | References: <#[email protected]>
| <[email protected]>
| | In-Reply-To: <[email protected]>
| | Content-Type: text/plain; charset=ISO-8859-1
| | Content-Transfer-Encoding: 7bit
| | Message-ID: <[email protected]>
| | Newsgroups: microsoft.public.win2000.group_policy
| | NNTP-Posting-Host: connect.cs-result.de 213.23.59.30
| | Lines: 1
| | Path: TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP03.phx.gbl
| | Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.win2000.group_policy:1037
| | X-Tomcat-NG: microsoft.public.win2000.group_policy
| |
| | Hi,
| |
| | Ken Zhao [MSFT] schrieb:
| | > [Restricted Groups]
| | > 1. Create an OU including all user accounts you want to move from
local
| | > administrators group.
| |
| | ... just to get a nice and sorted overview :)
| | But you need to apply the GPO to all the computer accounts, that should
be
| | reseted. So Step 1a.)
| | - create a OU and move all the computers to it ...
| | - link and create the GPO on this OU
| | - use restricted groups
| |
| | Mark
| | --
| | Mark Heitbrink - MVP Windows Server - Group Policy
| |
| | Homepage: www.gruppenrichtlinien.de - deutsch
| | Blog: gpupdate.spaces.live.com - english
| |
|
|
 
A

Apollo

No all done thatks.


Apollo

"Ken Zhao [MSFT]" said:
Hi,

I am just writing to see how everything is going. If you have any updates
or need any further assistance on this issue, please feel free to let me
know.

Thanks & Regards,

Ken Zhao

Microsoft Online Support
Microsoft Global Technical Support Center

Get Secure! - www.microsoft.com/security
<http://www.microsoft.com/security>
====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided "AS IS" with no warranties, and confers no
rights.




--------------------
| X-Tomcat-ID: 66558353
| References: <#[email protected]>
<[email protected]>
<[email protected]>
| MIME-Version: 1.0
| Content-Type: text/plain
| Content-Transfer-Encoding: 7bit
| From: (e-mail address removed) ("Ken Zhao [MSFT]")
| Organization: Microsoft
| Date: Mon, 03 Dec 2007 07:50:45 GMT
| Subject: Re: Removing local users from local administrator group
| X-Tomcat-NG: microsoft.public.win2000.group_policy
| Message-ID: <[email protected]>
| Newsgroups: microsoft.public.win2000.group_policy
| Lines: 54
| Path: TK2MSFTNGHUB02.phx.gbl
| Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.win2000.group_policy:1039
| NNTP-Posting-Host: TOMCATIMPORT1 10.201.218.122
|
| Thanks Mark!
|
| Thanks & Regards,
|
| Ken Zhao
|
| Microsoft Online Support
| Microsoft Global Technical Support Center
|
| Get Secure! - www.microsoft.com/security
<http://www.microsoft.com/security>
| ====================================================
| When responding to posts, please "Reply to Group" via your newsreader so
| that others may learn and benefit from your issue.
| ====================================================
| This posting is provided "AS IS" with no warranties, and confers no
rights.
|
|
|
|
| --------------------
| | Date: Fri, 30 Nov 2007 10:31:31 +0100
| | From: "Mark Heitbrink [MVP]" <[email protected]>
| | User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.8.0.5)
| Gecko/20060719 Thunderbird/1.5.0.5 Mnenhy/0.7.4.0
| | MIME-Version: 1.0
| | Subject: Re: Removing local users from local administrator group
| | References: <#[email protected]>
| <[email protected]>
| | In-Reply-To: <[email protected]>
| | Content-Type: text/plain; charset=ISO-8859-1
| | Content-Transfer-Encoding: 7bit
| | Message-ID: <[email protected]>
| | Newsgroups: microsoft.public.win2000.group_policy
| | NNTP-Posting-Host: connect.cs-result.de 213.23.59.30
| | Lines: 1
| | Path: TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP03.phx.gbl
| | Xref: TK2MSFTNGHUB02.phx.gbl
microsoft.public.win2000.group_policy:1037
| | X-Tomcat-NG: microsoft.public.win2000.group_policy
| |
| | Hi,
| |
| | Ken Zhao [MSFT] schrieb:
| | > [Restricted Groups]
| | > 1. Create an OU including all user accounts you want to move from
local
| | > administrators group.
| |
| | ... just to get a nice and sorted overview :)
| | But you need to apply the GPO to all the computer accounts, that
should
be
| | reseted. So Step 1a.)
| | - create a OU and move all the computers to it ...
| | - link and create the GPO on this OU
| | - use restricted groups
| |
| | Mark
| | --
| | Mark Heitbrink - MVP Windows Server - Group Policy
| |
| | Homepage: www.gruppenrichtlinien.de - deutsch
| | Blog: gpupdate.spaces.live.com - english
| |
|
|
Click to expand...
 
K

Ken Zhao [MSFT]

Hi Apollo,

Thanks for your response. Does it help?

Thanks & Regards,

Ken Zhao

Microsoft Online Support
Microsoft Global Technical Support Center

Get Secure! - www.microsoft.com/security <http://www.microsoft.com/security>
====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.





--------------------
| From: "Apollo" <[email protected]>
| References: <#[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<bMyc3c#[email protected]>
| Subject: Re: Removing local users from local administrator group
| Date: Wed, 6 Feb 2008 17:25:25 -0000
| Lines: 123
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.3790.3959
| X-RFC2646: Format=Flowed; Original
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198
| Message-ID: <#[email protected]>
| Newsgroups: microsoft.public.win2000.group_policy
| NNTP-Posting-Host: host81-133-224-29.in-addr.btopenworld.com 81.133.224.29
| Path: TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP06.phx.gbl
| Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.win2000.group_policy:1104
| X-Tomcat-NG: microsoft.public.win2000.group_policy
|
| No all done thatks.
|
|
| Apollo
|
| | > Hi,
| >
| > I am just writing to see how everything is going. If you have any
updates
| > or need any further assistance on this issue, please feel free to let me
| > know.
| >
| > Thanks & Regards,
| >
| > Ken Zhao
| >
| > Microsoft Online Support
| > Microsoft Global Technical Support Center
| >
| > Get Secure! - www.microsoft.com/security
| > <http://www.microsoft.com/security>
| > ====================================================
| > When responding to posts, please "Reply to Group" via your newsreader so
| > that others may learn and benefit from your issue.
| > ====================================================
| > This posting is provided "AS IS" with no warranties, and confers no
| > rights.
| >
| >
| >
| >
| > --------------------
| > | X-Tomcat-ID: 66558353
| > | References: <#[email protected]>
| > <[email protected]>
| > <[email protected]>
| > | MIME-Version: 1.0
| > | Content-Type: text/plain
| > | Content-Transfer-Encoding: 7bit
| > | From: (e-mail address removed) ("Ken Zhao [MSFT]")
| > | Organization: Microsoft
| > | Date: Mon, 03 Dec 2007 07:50:45 GMT
| > | Subject: Re: Removing local users from local administrator group
| > | X-Tomcat-NG: microsoft.public.win2000.group_policy
| > | Message-ID: <[email protected]>
| > | Newsgroups: microsoft.public.win2000.group_policy
| > | Lines: 54
| > | Path: TK2MSFTNGHUB02.phx.gbl
| > | Xref: TK2MSFTNGHUB02.phx.gbl
microsoft.public.win2000.group_policy:1039
| > | NNTP-Posting-Host: TOMCATIMPORT1 10.201.218.122
| > |
| > | Thanks Mark!
| > |
| > | Thanks & Regards,
| > |
| > | Ken Zhao
| > |
| > | Microsoft Online Support
| > | Microsoft Global Technical Support Center
| > |
| > | Get Secure! - www.microsoft.com/security
| > <http://www.microsoft.com/security>
| > | ====================================================
| > | When responding to posts, please "Reply to Group" via your newsreader
so
| > | that others may learn and benefit from your issue.
| > | ====================================================
| > | This posting is provided "AS IS" with no warranties, and confers no
| > rights.
| > |
| > |
| > |
| > |
| > | --------------------
| > | | Date: Fri, 30 Nov 2007 10:31:31 +0100
| > | | From: "Mark Heitbrink [MVP]" <[email protected]>
| > | | User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.8.0.5)
| > | Gecko/20060719 Thunderbird/1.5.0.5 Mnenhy/0.7.4.0
| > | | MIME-Version: 1.0
| > | | Subject: Re: Removing local users from local administrator group
| > | | References: <#[email protected]>
| > | <[email protected]>
| > | | In-Reply-To: <[email protected]>
| > | | Content-Type: text/plain; charset=ISO-8859-1
| > | | Content-Transfer-Encoding: 7bit
| > | | Message-ID: <[email protected]>
| > | | Newsgroups: microsoft.public.win2000.group_policy
| > | | NNTP-Posting-Host: connect.cs-result.de 213.23.59.30
| > | | Lines: 1
| > | | Path:
TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP03.phx.gbl
| > | | Xref: TK2MSFTNGHUB02.phx.gbl
| > microsoft.public.win2000.group_policy:1037
| > | | X-Tomcat-NG: microsoft.public.win2000.group_policy
| > | |
| > | | Hi,
| > | |
| > | | Ken Zhao [MSFT] schrieb:
| > | | > [Restricted Groups]
| > | | > 1. Create an OU including all user accounts you want to move from
| > local
| > | | > administrators group.
| > | |
| > | | ... just to get a nice and sorted overview :)
| > | | But you need to apply the GPO to all the computer accounts, that
| > should
| > be
| > | | reseted. So Step 1a.)
| > | | - create a OU and move all the computers to it ...
| > | | - link and create the GPO on this OU
| > | | - use restricted groups
| > | |
| > | | Mark
| > | | --
| > | | Mark Heitbrink - MVP Windows Server - Group Policy
| > | |
| > | | Homepage: www.gruppenrichtlinien.de - deutsch
| > | | Blog: gpupdate.spaces.live.com - english
| > | |
| > |
| > |
| >
|
|
|
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Reseting administrator group 1
impact of xp gpo on w2k 1
Using GPO to control local group membership 2
Changing Local Group Membership 1
Local Admin & Group Policy Question 6
Remove users from local groups 5
Removing domain local groups from Wind XP local administrators group 7
Domain user in local administrator group 2

Top