GPO help?
November 7, 2006 1:35 PM
Can anyone think of a way to use Group Policy to remove user's domain accounts from the local admins group or at least remove their rights?
lol, yes, should have added:
Windows Sysadmin Filter:
posted by Cosine at 2:27 PM on November 7, 2006
Windows Sysadmin Filter:
posted by Cosine at 2:27 PM on November 7, 2006
I like to do things like this in policy by using startup scripts. Assign a script to the top level of the domain, then the next time the machine reboots it'll execute. My email is in my profile if you want help with the script.
posted by saraswati at 3:20 PM on November 7, 2006
posted by saraswati at 3:20 PM on November 7, 2006
I did this with a GPO using the Restricted Groups setting. Basically, you create a group named Administrators and then you add members. The members of this group are not added to the existing local group, they replace the members of the existing local group. To set a domained machine back to default settings, add Administrator (for local admin) and the Domain Admins group. I would suggest applying the GPO to an OU with a single test machine first (always a good idea). Create a new local admin account, reboot and see if the new account is gone.
The setting is located in:
Computer Configuration\Windows Settings\Security Settings\Restricted Groups
Your DC must be Windows Server 2003. It won't work on Windows 2000 and I'm not sure if XP clients require SP2 or not. It seems like a lot of the really cool new settings (like Software Restrictions) require SP2.
posted by bda1972 at 3:54 PM on November 7, 2006
The setting is located in:
Computer Configuration\Windows Settings\Security Settings\Restricted Groups
Your DC must be Windows Server 2003. It won't work on Windows 2000 and I'm not sure if XP clients require SP2 or not. It seems like a lot of the really cool new settings (like Software Restrictions) require SP2.
posted by bda1972 at 3:54 PM on November 7, 2006
The following code can be added to a computer startup script (which runs as local system) to remove strUser (and this can be a group as well) from the specified strGroup (which is a local group -- Administrators, Power Users etc.).
posted by purephase at 4:58 PM on November 7, 2006
Function Remove_Domain_Users_From_Local_Group
Dim strUser, strGroup, WshShell, objWMIService, colItems, objItem
strUser = "DOMAIN\USERNAME"
strGroup = "LOCALGROUP"
Set WshShell = WScript.CreateObject("WScript.Shell")
Set objWMIService = GetObject("winmgmts:\\.\root\cimv2")
Set colItems = objWMIService.ExecQuery("Select * from Win32_Group Where LocalAccount = True")
For Each objItem in colItems
If objItem.Name = strGroup Then
WshShell.Run "%comspec% /c net localgroup """ & strGroup & """ """ & strUser """ /delete", 0, True
End If
Next
Set objWMIService = Nothing
Set WshShell = Nothing
End Function
posted by purephase at 4:58 PM on November 7, 2006
This thread is closed to new comments.
posted by bystander at 2:25 PM on November 7, 2006