Q

Removing admin rights to a workstation at logon

I have a Windows 2000 AD domain, with 2 Windows 2000 domain controllers. I have about 30 2000 Pro and 25 XP client workstations. All these machines were set up giving the local user full administrative rights to the box. (When the domain user was added to users in control panel, they were given admin rights.) How or what do I have to do so that when they log into the machine it will remove the admin rights and only grant them user rights to that workstation? If I have to use a group policy, can someone explain to me where in the group policies I have to make this setting?
The answer you seek is in Group Policy's Restricted Groups. With a little elbow grease, you can make a declaration: "No one is a local admin on my PCs, except, <insert exceptions here>" such as the Help Desk, IT support staff, etc. Restricted Groups are found under Computer Configuration | Security Settings | Restricted Groups. You'll be able to simply enter in the name of the local computer group you want (say, Administrators), then add in users just you want to guarantee to be members of the group! Anyone already in those groups are ripped out and replaced with your wishes!

Additional Expert Help:
Be sure to check our Answer FAQ for more expert advice.
For faster answers, visit ITKnowledge Exchange.

This was first published in November 2004
This Content Component encountered an error

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchServerVirtualization

SearchCloudComputing

SearchExchange

SearchSQLServer

SearchWinIT

SearchEnterpriseDesktop

SearchVirtualDesktop

Close