Announcement

Collapse
No announcement yet.

Removing Local Admins

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Removing Local Admins

    Hi,

    When adding a 2003 server to an existing domain is it possible to remove all the current local users from the local administrator group using group policies in order to better secure the system?

    Thanks

    Kyu
    J C Rocks (An Aspiring Author's Journey)
    The Abyssal Void War: Stars, Hide Your Fires

  • #2
    Re: Removing Local Admins

    Sure is,

    Go too default GPO -> Computer Config -> Pref -> Control Panel Settings -> Local Users and Group ->

    Now click "new user" use default "Administrator" and set in option below to "account is disabled"

    Comment


    • #3
      Re: Removing Local Admins

      This wont remove other users from the local admins group and, IMHO, is a bad idea since it prevents emergency access to the PC using the administrator account (strong password is better!)

      I would suggest using restricted groups (somewhere in Computer Settings--Security) to allow only the local administrator and domain admins to be members of the local admins group
      Tom Jones
      MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
      PhD, MSc, FIAP, MIITT
      IT Trainer / Consultant
      Ossian Ltd
      Scotland

      ** Remember to give credit where credit is due and leave reputation points where appropriate **

      Comment


      • #4
        Re: Removing Local Admins

        Originally posted by Flux View Post
        Sure is,

        Go too default GPO -> Computer Config -> Pref -> Control Panel Settings -> Local Users and Group ->

        Now click "new user" use default "Administrator" and set in option below to "account is disabled"
        OK ... I know I'm going to sound thick here but I just ran gpedit.msc on the DC and I can't see anything like that. Is there somwhere else I should be looking?

        EDIT: Hmmmm! It doesn't appear I have access on that server to the "Domain Controller Security Policy" or "Domain Security Policy" (Start --> Programs --> Administrative Tools).

        Kyu
        Last edited by Kyuuketsuki; 7th July 2009, 13:04.
        J C Rocks (An Aspiring Author's Journey)
        The Abyssal Void War: Stars, Hide Your Fires

        Comment


        • #5
          Re: Removing Local Admins

          Originally posted by Ossian View Post
          This wont remove other users from the local admins group and, IMHO, is a bad idea since it prevents emergency access to the PC using the administrator account (strong password is better!). I would suggest using restricted groups (somewhere in Computer Settings--Security) to allow only the local administrator and domain admins to be members of the local admins group
          OK ...

          The reason I need to know how to do this is because it appears to be being done by the owner of the domain.

          Now under normal circumstances that might be reasonable (that the owner should be controlling his/her own domain) but in order to get support he/she needs to grant local admin access to a number of people (including me whilst the server is in project phase which it is) and services (e.g. shavlik updates).

          I built the servers (they are virtual) and added them to the owner's domain having first configured the necessary accounts for local admin access only to find that those accounts then "lost" their admin group membership once they became a part of the domain so I reasoned it was a policy setting ... unfortunately I'm not actually very au fait with policies (something I intend to rectify once my new virtual domain comes on line).

          So I'm not trying to achieve this, I'm trying to find out how it was done.

          Kyu
          J C Rocks (An Aspiring Author's Journey)
          The Abyssal Void War: Stars, Hide Your Fires

          Comment

          Working...
          X