none
Remove Admin Rights to Domain Users

    Question

  • Hi, i have a question here.

    We are under a Windows Server 2008 R2 Domain, and i would like to remove Local Admin privileges from all domain computers to all domain users, except for domain administrators.

    Friday, March 3, 2017 5:49 PM

All replies

  • if i remember correctly, there is a restricted groups policy in GPO under security, I believe whatever you put in this section overwrites whatever is currently in the local groups you specify.

    something like Windows Settings > Security Settings > Restricted Groups, i think.

    probably best to create a new GPO and scope it to a small group of computers, and if you're looking at tightening security you might not want to use the domain admins to be part of that group, maybe a separate group you create for "Local Workstation Admins" you shouldn't be logging into any machine using a domain admin account - at all.

    • Proposed as answer by Todd Heron Saturday, March 4, 2017 12:54 PM
    Friday, March 3, 2017 9:23 PM
  • Hi,
    Agree with Milkientia that you could have a try to use restricted groups of group policy to define Members properties for security-sensitive (restricted) groups. When a Restricted Group policy is enforced, any current member of a restricted group that is not on the "Members" list is removed with the exception of administrator in the Administrators group. Any user on the "Members" list which is not currently a member of the restricted group is added.
    Please see:
    Description of Group Policy Restricted Groups
    https://support.microsoft.com/en-sg/kb/279301
    Active Directory Group Policy Restricted Groups
    http://social.technet.microsoft.com/wiki/contents/articles/20402.active-directory-group-policy-restricted-groups.aspx
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, March 6, 2017 6:42 AM
    Moderator
  • Hi,

    Was your issue resolved? If you resolved it using our solution, please "mark it as answer" to help other community members find the helpful reply quickly.

    If you resolve it using your own solution, please share your experience and solution here. It will be very beneficial for other community members who have similar questions. If no, please reply and tell us the current situation in order to provide further help.

    Best Regards,

    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Friday, March 10, 2017 8:14 AM
    Moderator