GPO help?
November 7, 2006 1:35 PM   Subscribe

Can anyone think of a way to use Group Policy to remove user's domain accounts from the local admins group or at least remove their rights?
posted by Cosine to Computers & Internet (6 answers total)
 
I assume this is something to do with Windows?
posted by bystander at 2:25 PM on November 7, 2006


lol, yes, should have added:

Windows Sysadmin Filter:
posted by Cosine at 2:27 PM on November 7, 2006


I like to do things like this in policy by using startup scripts. Assign a script to the top level of the domain, then the next time the machine reboots it'll execute. My email is in my profile if you want help with the script.
posted by saraswati at 3:20 PM on November 7, 2006


I did this with a GPO using the Restricted Groups setting. Basically, you create a group named Administrators and then you add members. The members of this group are not added to the existing local group, they replace the members of the existing local group. To set a domained machine back to default settings, add Administrator (for local admin) and the Domain Admins group. I would suggest applying the GPO to an OU with a single test machine first (always a good idea). Create a new local admin account, reboot and see if the new account is gone.

The setting is located in:
Computer Configuration\Windows Settings\Security Settings\Restricted Groups

Your DC must be Windows Server 2003. It won't work on Windows 2000 and I'm not sure if XP clients require SP2 or not. It seems like a lot of the really cool new settings (like Software Restrictions) require SP2.
posted by bda1972 at 3:54 PM on November 7, 2006


The following code can be added to a computer startup script (which runs as local system) to remove strUser (and this can be a group as well) from the specified strGroup (which is a local group -- Administrators, Power Users etc.).


Function Remove_Domain_Users_From_Local_Group
  Dim strUser, strGroup, WshShell, objWMIService, colItems, objItem

  strUser = "DOMAIN\USERNAME"
  strGroup = "LOCALGROUP"

  Set WshShell = WScript.CreateObject("WScript.Shell")

  Set objWMIService = GetObject("winmgmts:\\.\root\cimv2")

  Set colItems = objWMIService.ExecQuery("Select * from Win32_Group Where LocalAccount = True")
  For Each objItem in colItems
    If objItem.Name = strGroup Then
      WshShell.Run "%comspec% /c net localgroup """ & strGroup & """ """ & strUser """ /delete", 0, True
    End If
  Next

  Set objWMIService = Nothing
  Set WshShell = Nothing
End Function

posted by purephase at 4:58 PM on November 7, 2006


I am in SO over my head...
posted by Cosine at 3:45 PM on November 8, 2006


« Older Why the engine so far forward?   |   Video location Newer »
This thread is closed to new comments.