How can I remove local administrator permissions?

windows permissions group-policy
32,377

Solution 1

Take the users out of the "local admins" groups.

The manual process would be to go to the computer, start > rc my computer and then "Manage Computer". Select "Local user and groups", "groups" then double click administrators. Remove the users from that group.

Probably best not to take Domain Admins out of this group though, and if you disable the local administartor group from doing anything, you may have other issues.

You may find that a lot of things will stop working for the users though, so Power Users might be the best place for them to go if they've done anything weird and wonderful.

If you wanted to do this by group policy, I think you'd be looking at scripting something, then having it run as a startup script.

Your script would then use "net localgroup administrators naughtyusers /delete"

Solution 2

As @Tubs has said, don't try and cripple the local administrators group. Just don't put your end users in that group. Power Users will give them permission to do pretty much everything that an admin can do, but not change system wide configuration. Although they do have modify rights to the registry so given time and a reg file, I can't see there being any setting that they couldn't change.

Group policy can directly control the membership of local groups. I don't have the admin tool available at the moment, but it is something like "restricted groups". What you specify here will become the complete membership of the group, you can not instruct group policy to make changes to membership of a local group, only completely replace the membership with the list you specify, so remember to include domain admins in the administrators group.

Solution 3

I don't have enough rep to comment on @pipTheGeek, but the path in GP is Computer Configuration\Windows Settings\Security Settings\Restricted Groups.

Share:
32,377

Related videos on Youtube

xabim
Author by

xabim

Updated on September 17, 2022

Comments

  • xabim
    xabim almost 2 years

    I want to disable the permissions of local administrators in the machines of my domain, is this possible?, and only put administration rights to the Domain Administrators. And I want to do it with Group Policies.

    Mainly I want to disable the permission of install/uninstall programs to the users, although they are Local Administrators of their machines.

  • Tubs
    Tubs almost 15 years
    Didn't know that ones existed! Computer Configuration > Windows Settings > Security Settings > Restricted Groups. Much better than my suggestion.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Group Policy Editor restricting my administrator account?
Domain Account Does Not Receive Proper Se Privledges from Group Policies
How to have downloads be automatically unblocked?
Is there a way to set access to WMI using GroupPolicy?
How do I grant start/stop/restart permissions on a service to an arbitrary user or group on a non-domain-member server?
Group Policy Error Code 0x80070005
How to unblock the program from the group policy in Android Studio for a Flutter application?
Data permissions Docker for Windows
Python Permission Error when reading
Deny all folders permission from all users/administrators via CMD/Batch in Windows 7/8/10