No announcement yet.

Local admin rights on Client PC's

  • Filter
  • Time
  • Show
Clear All
new posts

  • Local admin rights on Client PC's

    In the past I have freely enabled local admin rights on all my PC's due to restrictions on 3rd Part software which require it. Unfortunately this is quite a security risk and has become a problem on my LAN. I need to remove all lo9cal admin rights ASAP. I have about 250 users so as you can imagine it's going to be a tiresome task.
    Anybody out there know of a way or an app that can do this for me with some ease. I know in AD i can select the computers and manage them from there, but like I said there about 250 computers to get through.

  • #2
    Re: Local admin rights on Client PC's

    AD GPO's are not going to work as Local policies superseed Domain policy's.


    • #3
      Re: Local admin rights on Client PC's

      Huh? what do you mean with Local policies superseed Domain policy's?

      The trick to remember is: LSDOU, Local, site, domain, ou. The local policy will be applied first, the rest will follow, and will overrule the local policy.
      Technical Consultant

      MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
      "No matter how secure, there is always the human factor."

      "Enjoy life today, tomorrow may never come."
      "If you're going through hell, keep going. ~Winston Churchill"


      • #4
        Re: Local admin rights on Client PC's

        In a GPO attached to your computer OU, you could set the Security Options > Accounts: Administrator Account Status to disabled. This would prevent the local admin account from being enabled. In the event of local admin rights being needed for maintenance, booting into safe mode would override this policy.


        • #5
          Re: Local admin rights on Client PC's

          As i can see you have DomainController and probably all computers are joined in. There is easy way to solve your problem

          1. Create .bat file with script:

          net localgroup administrators useradmin1 /delete
          net localgroup administrators useradmin2 /delete

          (put all 250 usernames in useradminX)

          put script in GPO > computer configuratinon > windows settings > start and/or shutdown

          this should work if you have list of all users with admin rights
          Arber I. Ibrahimi