none
How to change user rights from admin to standard user?

    Question

  • Hi!

    I am working in a city with around 400 users and all of them have admin rights on their local accounts. We want to change that to  user rights instead. I would like to know how to create a GPO that would make that change. I think the best way would be through GPO unless you have other ideas! 

    Thank you for your help in advance!

    Dag

    Wednesday, December 17, 2014 10:20 PM

Answers

All replies

  • Using Restricted Groups in GPO would be the one way to go.
    Wednesday, December 17, 2014 10:40 PM
  • Hi Dag,

    How is it going? I agree with yannara. Besides, we can also use Group Policy Preferences Local Users and Groups to do this.

    Regarding GPP Local Users and Groups, the following articles can be referred to for more information.

    Local Users and Groups Extension

    http://technet.microsoft.com/en-us/library/cc731972.aspx

    How to use Group Policy Preferences to Secure Local Administrator Groups

    http://www.grouppolicy.biz/2010/01/how-to-use-group-policy-preferences-to-secure-local-administrator-groups/

    In addition, regarding restricted groups, the following article can be referred to for more information.

    Active Directory Group Policy Restricted Groups

    http://social.technet.microsoft.com/wiki/contents/articles/20402.active-directory-group-policy-restricted-groups.aspx

    Best regards,

    Frank Shen


    Monday, December 29, 2014 8:12 AM
    Moderator
  • Hi guys, thank you for the answer!

    After some verification I found a GPO that is pushing a cmd file on the network that is looking like this:

    NET LOCALGROUP Administrators  interactive /ADD
    NET LOCALGROUP Administrators /ADD "CITY\Domain Admins"
    NET LOCALGROUP Administrators /ADD "CITY\Domain Users"
    exit

    i was thinking of changing it like this:

    NET LOCALGROUP Administrators  interactive /ADD
    NET LOCALGROUP Administrators /ADD "CITY\Domain Admins"
    NET LOCALGROUP Users /ADD "CITY\Domain Users"
    exit

    That way all new domain users would become users instead of admin. Would that be a good idea to do that? If yes, how can I force the already existing domain users accounts that are local admins to lose their admin rights?

    Have a nice day!

    Dag

    Monday, December 29, 2014 8:32 PM
  • I've just finished base testing with this link that you sent me:

    http://www.grouppolicy.biz/2010/01/how-to-use-group-policy-preferences-to-secure-local-administrator-groups/

    very useful and simple.

    I realize we were making things complicated with our batch file. The update option is indeed very useful since it upgrades the existing account on the desktop as well as the new one. Now that the technical issue is mostly done, the testing will officially begin and finally the hardest part is to come: Explaining our users the necessity of removing their admin rights. :)

    I did not forget to add an administrative builtin account and domain admin in an admin group. So everything is fine.

    Thank you!

    Dag

    Monday, December 29, 2014 10:41 PM