I was wondering, how can I configure Active Directory and or all the workstations to show what computer and user accounts have local administrator access on the workstations?
The scenario is that some accounts may have been granted access via Active Directory in an organizational unit, while others the individual user in Active Directory may have been given the access to the local administrator group on the box.
I need to see a list so we can correct who should and who should not have local admin access.
Thank you for your help.
You can use the "net localgroup administrators" command on each workstation (probably in a login script so that it records its information to a central file for later review). This command will enumerate the members of the Administrators group on each machine you run it on. Alternately, you can use the Restricted Groups feature of Group Policy to restrict the membership of Administrators to only those users you want to belong.
Dig deeper on Microsoft Active Directory Tools and Troubleshooting
Related Q&A from Laura Hunter
Active Directory expert Laura E. Hunter tells a reader what to keep in mind when deleting subnets associated with sites being removed in an ...continue reading
Active Directory expert Laura E. Hunter explains to a reader what must be done to change the default display specifiers for new users in Active ...continue reading
Active Directory expert Laura E. Hunter offers a tip for shortening client wait times.continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.