bmanice Posted December 8, 2010 Share Posted December 8, 2010 Hey guys hows it going? I am trying to figure out how to remove all of my users from the local admin group on their machines on my network (Windows XP clients). I would like to do this via GP, but i am a little rusty with it. Can anyone elaborate or possibly guide me to a good directive? Thanks! Quote Link to comment Share on other sites More sharing options...
Sparda Posted December 8, 2010 Share Posted December 8, 2010 net group administrators %username% /delete Run script on login ;) Quote Link to comment Share on other sites More sharing options...
bmanice Posted December 8, 2010 Author Share Posted December 8, 2010 net group administrators %username% /delete Run script on login ;) Thanks for the info! Using that command in a log in script is a good idea, we were thinking this may be done through GP as well? Do you know if this is possible Boris? Quote Link to comment Share on other sites More sharing options...
Sparda Posted December 8, 2010 Share Posted December 8, 2010 Definitely is, admittedly I'd have to figure out how to do it, but it definitely is. Quote Link to comment Share on other sites More sharing options...
bmanice Posted December 8, 2010 Author Share Posted December 8, 2010 Definitely is, admittedly I'd have to figure out how to do it, but it definitely is. appreciate your help, let me know if you find out how to do this... its driving me nuts! Quote Link to comment Share on other sites More sharing options...
Infiltrator Posted December 8, 2010 Share Posted December 8, 2010 Found a couple of articles, that shows how to restrict local admin access via GPO http://www.grouppolicy.biz/2010/01/how-to-use-group-policy-preferences-to-secure-local-administrator-groups/ http://www.frickelsoft.net/blog/?p=13 http://www.windowsecurity.com/articles/Using-Restricted-Groups.html Quote Link to comment Share on other sites More sharing options...
bmanice Posted December 9, 2010 Author Share Posted December 9, 2010 (edited) This is great info, thanks again guys... Here is the article that cleared it all up for me and my team http://www.windowsecurity.com/articles/Securing-Local-Administrators-Group-Every-Desktop.html Edited December 9, 2010 by bmanice Quote Link to comment Share on other sites More sharing options...
Infiltrator Posted December 9, 2010 Share Posted December 9, 2010 Gonna bookmark this page, for future reference. Quote Link to comment Share on other sites More sharing options...
kickarse Posted February 22, 2011 Share Posted February 22, 2011 I wrote an AutoIT script to scan each workstation for local user accounts (admin or otherwise). I can then set the user bit like disabled, user can change pass, etc. Or I can remove each administrator account that doesn't belong. I've set it up so that I can perform this on every workstation it finds in a specific Domain OU. Perhaps you could leverage something like that? Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.