In our Active Directory infrastructure as a Domain Administrator it is our duty to provide complete security to our Environment. Here will see about Removing Users From The Local Administrators Group
Sometimes we are in a situation to provide Admin rights to the Normal Domain user. When this does happen it is also it’s almost impossible to discover as you have to run a query every computer to see who is in the local admin group and then figure out which account should be a member so in order to avoid this and to provide complete security here the Group Policy for it.
This is the common question among Administrators and I have seen the same questions in many of the forums. So in this topic will see about Group Policy to Removing Domain User added under Local Administrator Group.
Let’s See the Steps For Removing Users From The Local Administrators Group
1. Log in to a server with Administrator privileges.
2. Open the Group policy mmc with Server Manager > Tools > Group Policy Management
3. Create the group policy for Removing Users From The Local Administrators Group
Here In this case I have created GP Name as Admin Rights Removal
4. Right click on the created Group Policy, Click onEdit and Browse to Computer Configuration > Policies >Windows Settings > Security Settings > Restricted Groups
5. Create the Group and the Add Only Domain Admins Groups into it
Whoever the user needs to be on that created Restricted Group, it depends on you and the requirement.
6. Link this GPO to any of the desired OU. This kind of GPO needs to be applied to Domain Level for better security.
- Active Directory Guide: Installation of Active Directory Domain Controller, Additional Domain Controller(ADC), New Child Domain Controller, Read-Only Domain Controller (RODC)
If you create a Restricted Group for the Local Administrators group, the GPO will overwrite the existing local group membership and set the membership to whatever has been configured in the GPO.
If a user adds him selves to the local administrators group, the next time the policy refreshes, the local group membership will be reset back to what is defined in the Restricted Group.
In our Case I have added only Domain Admins alone to the Restricted Group. Once the Policy Take effects apart from Domain Admins all other Users will be removed.
Few Other Group Policy Guide:
Hope this Tutorials helps you guys.. Don’t Forget to Like..!! Share..!! & Comment..!!