Wednesday, December 19, 2012

AD 2008R2 - Remove Users From Local Admin Using Group Policy

So one of the more frustrating things to deal with as a system admin is managing local user permissions on desktops and servers. People with local admin rights can do just about anything to their local machines which can cause significant headache to the Help Desk team. In 2008R2 Active Directory Microsoft has given administrators the ability manage local system groups via GPO. In this segment I plan to cover some of the highlights of this policy.

Create the GPO:
On your Domain Controller go ahead and open up Group Policy Management. Drill down to the domain where you want to create the policy and expand Group Policy Objects. Right Click in the active window and Select New. Lets call the GPO Local Users. Click OK

Edit the GPO:
You should see the newly created GPO in the active window. Right Click on it ans Select Edit. In the Group Policy Management Editor Drill down to User Configuration > Preferences > Control Panel, then Right Click on Local Users and Groups. Select New > Local Group

In the New Local Group Properties window in Action: select Update. For the Group name: type in Administrators. Select the Remove the current user radio button and Click OK
*Note - In addition to removing the current users you can use this to add users, delete all users and delete all groups. Be careful how you set this up as you may inadvertently remove users or groups you want to keep.

Your newly created element should appear in the active window. Go ahead and close the editor.

Apply & Test the GPO:
Next we need to apply the GPO to the OU that that has the computers which will receive it.

*Caution - You should test all GPO's in a lab environment or on a Test OU BEFORE applying them to the live production environment to ensure you will achieve the desired outcome.

In the navigation tree simply drag the Local Users GPO to the computer group you want it to be applied to. You will be prompted to link the GPO to the OU. Click OK

The final step is to test the GPO. Log into a machine that is in the OU you applied the GPO to and open a command prompt. Run the following:
gpupdate /force
Go into Administrators under Local Users and Groups and you should see the the user has been removed from the group.


More to come!

If you like this blog give it a g+1

No comments:

Post a Comment