How can I remove my users from local admin rights with a GPO?

Question

I have active directory 2003 and windows xp running on clients so I don't want any of my users to have any admin rights on their PCs and I have already gave them local admin rights So Without to go to each PC and remove it by hand . How can I remove my users from local admin rights with a GPO? Any advice would be appreciated Thanks

Nixphoe · Answer 1 · 2011-06-08T13:20:19.143

5

Restricted Groups

Computer configuration > Windows Settings > Security Settings > Restricted Groups.

If you set that up with Using the "Members" Restricted Group Portion of Policy, it will remove anything else that is listed locally. It will only apply the group that is in your policy. You can read more about it here

edited Jun 08 '11 at 13:20

answered Jun 08 '11 at 13:01

Nixphoe

4,584
7
34
52

3

Be careful with this. If you don't add Domain Admins to the restricted group, you'll find yourself unable to administer the machines. – Jason Berg Jun 08 '11 at 13:32
Sorry I'm haven't understood you When I have added the users in local admin right I did by client side I wen to each one and used administrator account I added the user so already I dont have this policy. May I have create new one or what I have to do to remove administrator users locally? – Codey Jun 08 '11 at 13:55
restricted groups will ensure that only the users in the restricted groups policy are in the local group. it doesn't matter if you changed the group membership onthe client. – Jim B Jun 08 '11 at 15:20

How can I remove my users from local admin rights with a GPO?

1 Answers1