removing admin rights from users

[PreviousPoster]

Hi,
I have to control 100+ pc's in my network domain.
some of the domain users already have admin rights to their local pc, and i want to remove it via GPO that way no one will have admin rights unless they are admin in the domain.

is it possible to do this via GPO?
is it also possible to set a domain user as local admin via GPO?

[PreviousPoster]

Hi,

You have 3 options as I see it.

1) "Restricted Groups" - which is part of normal Group Policy.

2) "Group Policy Preferences" - new stuff, please read these articles:
http://www.windowsecurity.com/articles/Group-Policy-related-changes-Windows-Server-2008-Part3.html
http://www.windowsecurity.com/articles/Group-Policy-related-changes-Windows-Server-2008-Part4.html

3) Scripting (Computer Startup Scripts) - hard work if you can get it ;-)

Remember to test both, whatever option you choose, carefully!

[graycat]

I was in a similar situation a few years back when we had no idea how many users had local admin rights but new it was over 100.

We considered restricted groups but discounted it as overwritting the local membership could potentially cause us a lot of heartache with some of our existing applications.

In the end we went with logon scripts. These basically removed the user from the local admin group during logon unless a flag file was present in their profile. The downside is that if the user knows about it, they can add themselves back in. however, the script just keeps running at each logon so eventually we got them all ..... and didn't advertise we were doing it either.

as the above poster says, there are lots of methods but you've got to decide which one fits your enterprise the best ... and then run with it!