Group Policy: Removing Users From The Local Administrators Group

Removing Users From The Local Administrators Group

In our Active Directory infrastructure as a Domain Administrator it is our duty to provide complete security to our Environment. Here will see about Removing Users From The Local Administrators Group

Sometimes we are in a situation to provide Admin rights to the Normal Domain user. When this does happen it is also it’s almost impossible to discover as you have to run a query every computer to see who is in the local admin group and then figure out which account should be a member so in order to avoid this and to provide complete security here the Group Policy for it.

This is the common question among Administrators and I have seen the same questions in many of the forums. So in this topic will see about Group Policy to Removing Domain User added under Local Administrator Group.

Let’s See the Steps For Removing Users From The Local Administrators Group

 

1. Log in to a server with Administrator privileges.

 

2. Open the Group policy mmc with Server Manager > Tools > Group Policy Management

 

3. Create the group policy for Removing Users From The Local Administrators Group

Here In this case I have created GP Name as Admin Rights Removal

 

Group Policy To Removing Users From The Local Administrators Group

 

4. Right click on the created Group Policy, Click onEdit and Browse to Computer Configuration > Policies >Windows Settings > Security Settings > Restricted Groups

 

5. Create the Group and the Add Only Domain Admins Groups into it

Or

Whoever the user needs to be on that created Restricted Group, it depends on you and the requirement.

 

Group Policy To Removing Users From The Local Administrators Group

 

6. Link this GPO to any of the desired OU. This kind of GPO needs to be applied to Domain Level for better security.

 

Also Read:

 

 

Note:

If you create a Restricted Group for the Local Administrators group, the GPO will overwrite the existing local group membership and set the membership to whatever has been configured in the GPO.

If a user adds him selves to the local administrators group, the next time the policy refreshes, the local group membership will be reset back to what is defined in the Restricted Group.

In our Case I have added only Domain Admins alone to the Restricted Group. Once the Policy Take effects apart from Domain Admins all other Users will be removed.

Few Other Group Policy Guide:

 

 

Hope this Tutorials helps you guys.. Don’t Forget to Like..!! Share..!! & Comment..!!

About Balamurugan Murugesan

Bala, One of the Founder & CEO of DoubtsClear.Over 6 Years Of Experience in IT and An Expert in All Aspects of Windows, Linux, VMware, Server Management, Web Hosting Support, Data Recovery and Backup, Performance Optimizer, Migration and Load Balancing.

Check Also

How To Disable RDP Access For Domain Administrator & Domain User

Group Policy: How To Disable RDP Access For Domain Administrator & Domain User

In our Active Directory infrastructure sometimes we may need to Disable Remote Desktop (RDP) Access …

Leave a Reply

Your email address will not be published. Required fields are marked *