I have a Windows 2000 AD domain, with 2 Windows 2000 domain controllers. I have about 30 2000 Pro and 25 XP client workstations. All these machines were set up giving the local user full administrative rights to the box. (When the domain user was added to users in control panel, they were given admin rights.) How or what do I have to do so that when they log into the machine it will remove the admin rights and only grant them user rights to that workstation? If I have to use a group policy, can someone explain to me where in the group policies I have to make this setting?
The answer you seek is in Group Policy's Restricted Groups. With a little elbow grease, you can make a declaration: "No one is a local admin on my PCs, except, <insert exceptions here>" such as the Help Desk, IT support staff, etc. Restricted Groups are found under Computer Configuration | Security Settings | Restricted Groups. You'll be able to simply enter in the name of the local computer group you want (say, Administrators), then add in users just you want to guarantee to be members of the group! Anyone already in those groups are ripped out and replaced with your wishes!
Additional Expert Help: Be sure to check our Answer FAQ for more expert advice. For faster answers, visit ITKnowledge...