Ask the Expert

Removing admin rights to a workstation at logon

I have a Windows 2000 AD domain, with 2 Windows 2000 domain controllers. I have about 30 2000 Pro and 25 XP client workstations. All these machines were set up giving the local user full administrative rights to the box. (When the domain user was added to users in control panel, they were given admin rights.) How or what do I have to do so that when they log into the machine it will remove the admin rights and only grant them user rights to that workstation? If I have to use a group policy, can someone explain to me where in the group policies I have to make this setting?

    Requires Free Membership to View

The answer you seek is in Group Policy's Restricted Groups. With a little elbow grease, you can make a declaration: "No one is a local admin on my PCs, except, <insert exceptions here>" such as the Help Desk, IT support staff, etc. Restricted Groups are found under Computer Configuration | Security Settings | Restricted Groups. You'll be able to simply enter in the name of the local computer group you want (say, Administrators), then add in users just you want to guarantee to be members of the group! Anyone already in those groups are ripped out and replaced with your wishes!

Additional Expert Help:
Be sure to check our Answer FAQ for more expert advice.
For faster answers, visit ITKnowledge Exchange.

This was first published in November 2004

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: