Access Denied: Remove Users from Local Admin Group

Advanced Search

July 02, 2001 Access Denied: Remove Users from Local Admin Group A Web Exclusive from Windows IT Pro Randy Franklin Smith Access Denied InstantDoc #21296 Windows IT Pro	Email this Article Printer Friendly Reader Comments Digg This Del.icio.us RSS
Subscribe to Windows IT Pro \| See More Security Articles Here \| Reprints \| Or get the Monthly Online Pass—only $5.95 a month!

At my company, users are administrators of their workstations. To enhance desktop security, however, I need to remove other users from the local Administrators group on each computer. How can I accomplish this task without visiting each computer and manually deleting the users?

Group policy comes to the rescue here. In Group Policy Objects (GPOs), the Restricted Groups folder under \computer configuration\windows settings\security settings contains options that let you control group membership for local groups on the workstations and member servers in your domain. To accomplish your job, create and edit a GPO that you'll apply to all the workstations that need the change. For example, if you edit Default Domain Policy, your change will apply to all computers in the domain unless a lower GPO specifies a policy for the same group. (See the preceding Q&A, InstantDoc ID 21295.) To remove users from their local Administrators group, maneuver to the Restricted Groups folder, right-click, select Action, then select Add Group. Enter the name of the local group whose membership you want to control—in this case, Administrators. A policy named for the group will appear in the details pane, as Figure 1 shows. Double-click the policy to display the dialog box that Figure 2 shows. Click Add, then click Browse. Select Domain Admins, then click OK to close all the dialog boxes.

This policy will cause your domain's member servers and workstations to delete any members other than Domain Admins from each computer's local Administrators group. To verify your change, log on to a member server or workstation in your domain, then at a command prompt, type

secedit /refreshpolicy machine_policy

This command applies group policy immediately instead of waiting for the next typical refresh, which could be as long as 2 hours away. Next, open the Microsoft Management Console (MMC) Computer Management snap-in, then maneuver to Local Users and Groups. You'll now see only Domain Admins and the local Administrator user account as members of Administrators. You still find the local Administrator account because this user is a built-in member of Administrators, and you can't delete that account.

End of Article

Reader Comments

Great article! My problem of controlling the local admin rights is solved!! Thank you so much.

kentoh February 26, 2007 (Article Rating:

)

That's good. But how do I add just one or two users as local admin to their partcular machines?
"This policy will cause your domain's member servers and workstations to delete any members other than Domain Admins from each computer's local Administrators group. " I want the opposite to happen. i would like to add domain admins as local admins and then add random domain user as local admin as well without having the domain user account deleted each the system refreshes the GPO

zookflash March 20, 2007 (Article Rating:

)

You must be a registered user or online subscriber to comment on this article. Please log on before posting a comment. Are you a new visitor? Register now

Top Viewed ArticlesView all articles

Battery Life Issues Almost Certainly Not Windows 7's Fault

While Microsoft is still investigating a notebook battery life issue that was supposedly caused by Windows 7, some interesting trends have emerged. ...

Confirmed: Battery Life Issues Not Windows 7's Fault

Microsoft on Monday issued a lengthy statement about the recent Windows 7 battery controversy, echoing my assessment from earlier in the day, but backing it up with hard, cold evidence. Put simply, Windows 7 is not responsible for any battery life issues ...

Getting your iPhone to Sync with Exchange 2003

Follow these steps to use an iPhone with Exchange. ...

Security Whitepapers Reducing the Costs and Risks of Branch Office Data Protection

Solving Desktop Management Challenges in Healthcare

Solving Desktop Management Challenges in Education

Related Events The Increasing Threat of Financially Motivated Data Theft

Cutting Costs with Client Management

7 Ways To Get More From Your SharePoint Deployment Now

Check out our list of Free Email Newsletters!

Security eBooks Spam Fighting and Email Security for the 21st Century

Understanding and Leveraging Code Signing Technologies

A Guide to Windows Certification and Public Keys

Related Security Resources Introducing Left-Brain.com, the online IT bookstore
Looking for books, CDs, toolkits, eBooks? Prime your mind at Left-Brain.com

Discover Windows IT Pro eLearning Series!
Clear & detailed technical information and helpful how-to's, all in our trademark no-nonsense format

ADS BY GOOGLE

Job Openings in IT		SPONSORED LINKS		FEATURED LINKS
		Collaborate with Confidence Accelerate deployment and simplify Microsoft SharePoint management with EMC solutions and services. Calculate your savings now See how SAN is 57% cheaper than DAS over three years Announcing Symantec Backup Exec 2010 With integrated deduplication and unified archiving technology.		Feb 25 - Are your IT Systems distributed? Or Convoluted? Find out why integrated management solutions are more important than ever in today's IT environments and what criteria to consider when evaluating those solutions. Virtualization Faceoff – Join the Discussion Blogs, free poster, videos, community commentary – IT experts and peers face off on VMware & Microsoft virtualization solutions. Should Your Email Live in the Cloud? This Forrester report shows how-to calculate your on-premise email costs and compare with cloud-based alternatives and offers best practices for reducing email costs. Exchange Server 2010: Deploying Unified Communications register for this free virtual event and build your Unified Communications future on a strong Exchange Server 2010 foundation New from Left-Brain.com - Manage VMware with PowerShell Learn how to perform everything from simple ad-hoc reporting at the command-line to complex scripts that automate a massive deployment of hundreds of virtual machines. Solve your old problems using less code than you thought possible!

Windows IT Pro Home

FAQ for Windows

WinInfo News
Europe Edition

About Us

Contact Us/Customer Service

Media Kit

Affiliates / Licensing

SQL Server Magazine

Office & SharePoint Pro

DevProConnections

IT Job Hound
Left-Brain.com

Technology Resource Directory

asp.netPRO

ITTV

Windows SuperSite

Windows IT Pro is a Division of Penton Media Inc.
© 2010 Penton Media, Inc. Terms of Use | Privacy Statement