Removing local users from local administrator group

  • Thread starter Thread starter Apollo
  • Start date Start date
A

Apollo

Hi,
I am rolling out a GPO with software restriction settings, this all works as
intended.

However, if the user log's in locally they can avoid the GPO and
run/install/amend any software they like as traditionally all users were set
up with a local user account that was added to the machines local
administrators group.

So, how can I bulk remove users from the local administrators group and
reset the local administrator password? thanks.....

Apollo
 
Hello Apollo,

Thank you for using newsgroup!

From your post, for your first question you want bulk remove users from
local administrators group, you may try the following steps:
1. Create an OU including all user accounts you want to move from local
administrators group.
2. Use Restricted Groups group policy to define the following two
properties for security-sensitive (restricted) groups:
1) Members
2) Member Of
3. Apply Restricted Groups group policy to this OU.

For more related configuration information, please refer to the following
articles:
279301: Description of Group Policy Restricted Groups
http://support.microsoft.com/kb/279301/en-us

228496: HOW TO: Use Restricted Groups in Windows 2000
http://support.microsoft.com/kb/228496/en-us

810076: Updates to Restricted Groups ("Member of") behavior of user-defined
local groups
http://support.microsoft.com/kb/810076/en-us

For your second question, to bulk reset local administrator passwords, you
have to use script to do this job.
272530: How to Use the Cusrmgr.exe Tool to Change Administrator Account
Password on Multiple Computers
http://support.microsoft.com/kb/272530/en-us

Thanks & Regards,

Ken Zhao

Microsoft Online Support
Microsoft Global Technical Support Center

Get Secure! - www.microsoft.com/security <http://www.microsoft.com/security>
====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.




--------------------
| From: "Apollo" <[email protected]>
| Subject: Removing local users from local administrator group
| Date: Fri, 30 Nov 2007 07:13:40 -0000
| Lines: 15
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.3790.3959
| X-RFC2646: Format=Flowed; Original
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198
| Message-ID: <#[email protected]>
| Newsgroups: microsoft.public.win2000.group_policy
| NNTP-Posting-Host: host81-149-235-51.in-addr.btopenworld.com 81.149.235.51
| Path: TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP02.phx.gbl
| Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.win2000.group_policy:1035
| X-Tomcat-NG: microsoft.public.win2000.group_policy
|
| Hi,
| I am rolling out a GPO with software restriction settings, this all works
as
| intended.
|
| However, if the user log's in locally they can avoid the GPO and
| run/install/amend any software they like as traditionally all users were
set
| up with a local user account that was added to the machines local
| administrators group.
|
| So, how can I bulk remove users from the local administrators group and
| reset the local administrator password? thanks.....
|
| Apollo
|
|
|
 
Hi,
[Restricted Groups]
1. Create an OU including all user accounts you want to move from local
administrators group.
Click to expand...

.... just to get a nice and sorted overview :-)
But you need to apply the GPO to all the computer accounts, that should be
reseted. So Step 1a.)
- create a OU and move all the computers to it ...
- link and create the GPO on this OU
- use restricted groups

Mark
 
Thanks Mark!

Thanks & Regards,

Ken Zhao

Microsoft Online Support
Microsoft Global Technical Support Center

Get Secure! - www.microsoft.com/security <http://www.microsoft.com/security>
====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.




--------------------
| Date: Fri, 30 Nov 2007 10:31:31 +0100
| From: "Mark Heitbrink [MVP]" <[email protected]>
| User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.8.0.5)
Gecko/20060719 Thunderbird/1.5.0.5 Mnenhy/0.7.4.0
| MIME-Version: 1.0
| Subject: Re: Removing local users from local administrator group
| References: <#[email protected]>
<[email protected]>
| In-Reply-To: <[email protected]>
| Content-Type: text/plain; charset=ISO-8859-1
| Content-Transfer-Encoding: 7bit
| Message-ID: <[email protected]>
| Newsgroups: microsoft.public.win2000.group_policy
| NNTP-Posting-Host: connect.cs-result.de 213.23.59.30
| Lines: 1
| Path: TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP03.phx.gbl
| Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.win2000.group_policy:1037
| X-Tomcat-NG: microsoft.public.win2000.group_policy
|
| Hi,
|
| Ken Zhao [MSFT] schrieb:
| > [Restricted Groups]
| > 1. Create an OU including all user accounts you want to move from local
| > administrators group.
|
| ... just to get a nice and sorted overview :-)
| But you need to apply the GPO to all the computer accounts, that should be
| reseted. So Step 1a.)
| - create a OU and move all the computers to it ...
| - link and create the GPO on this OU
| - use restricted groups
|
| Mark
| --
| Mark Heitbrink - MVP Windows Server - Group Policy
|
| Homepage: www.gruppenrichtlinien.de - deutsch
| Blog: gpupdate.spaces.live.com - english
|
 
Hi,

I am just writing to see how everything is going. If you have any updates
or need any further assistance on this issue, please feel free to let me
know.

Thanks & Regards,

Ken Zhao

Microsoft Online Support
Microsoft Global Technical Support Center

Get Secure! - www.microsoft.com/security <http://www.microsoft.com/security>
====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.




--------------------
| X-Tomcat-ID: 66558353
| References: <#[email protected]>
<[email protected]>
<[email protected]>
| MIME-Version: 1.0
| Content-Type: text/plain
| Content-Transfer-Encoding: 7bit
| From: (e-mail address removed) ("Ken Zhao [MSFT]")
| Organization: Microsoft
| Date: Mon, 03 Dec 2007 07:50:45 GMT
| Subject: Re: Removing local users from local administrator group
| X-Tomcat-NG: microsoft.public.win2000.group_policy
| Message-ID: <[email protected]>
| Newsgroups: microsoft.public.win2000.group_policy
| Lines: 54
| Path: TK2MSFTNGHUB02.phx.gbl
| Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.win2000.group_policy:1039
| NNTP-Posting-Host: TOMCATIMPORT1 10.201.218.122
|
| Thanks Mark!
|
| Thanks & Regards,
|
| Ken Zhao
|
| Microsoft Online Support
| Microsoft Global Technical Support Center
|
| Get Secure! - www.microsoft.com/security
<http://www.microsoft.com/security>
| ====================================================
| When responding to posts, please "Reply to Group" via your newsreader so
| that others may learn and benefit from your issue.
| ====================================================
| This posting is provided "AS IS" with no warranties, and confers no
rights.
|
|
|
|
| --------------------
| | Date: Fri, 30 Nov 2007 10:31:31 +0100
| | From: "Mark Heitbrink [MVP]" <[email protected]>
| | User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.8.0.5)
| Gecko/20060719 Thunderbird/1.5.0.5 Mnenhy/0.7.4.0
| | MIME-Version: 1.0
| | Subject: Re: Removing local users from local administrator group
| | References: <#[email protected]>
| <[email protected]>
| | In-Reply-To: <[email protected]>
| | Content-Type: text/plain; charset=ISO-8859-1
| | Content-Transfer-Encoding: 7bit
| | Message-ID: <[email protected]>
| | Newsgroups: microsoft.public.win2000.group_policy
| | NNTP-Posting-Host: connect.cs-result.de 213.23.59.30
| | Lines: 1
| | Path: TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP03.phx.gbl
| | Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.win2000.group_policy:1037
| | X-Tomcat-NG: microsoft.public.win2000.group_policy
| |
| | Hi,
| |
| | Ken Zhao [MSFT] schrieb:
| | > [Restricted Groups]
| | > 1. Create an OU including all user accounts you want to move from
local
| | > administrators group.
| |
| | ... just to get a nice and sorted overview :-)
| | But you need to apply the GPO to all the computer accounts, that should
be
| | reseted. So Step 1a.)
| | - create a OU and move all the computers to it ...
| | - link and create the GPO on this OU
| | - use restricted groups
| |
| | Mark
| | --
| | Mark Heitbrink - MVP Windows Server - Group Policy
| |
| | Homepage: www.gruppenrichtlinien.de - deutsch
| | Blog: gpupdate.spaces.live.com - english
| |
|
|
 
No all done thatks.


Apollo

"Ken Zhao [MSFT]" said:
Hi,

I am just writing to see how everything is going. If you have any updates
or need any further assistance on this issue, please feel free to let me
know.

Thanks & Regards,

Ken Zhao

Microsoft Online Support
Microsoft Global Technical Support Center

Get Secure! - www.microsoft.com/security
<http://www.microsoft.com/security>
====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided "AS IS" with no warranties, and confers no
rights.




--------------------
| X-Tomcat-ID: 66558353
| References: <#[email protected]>
<[email protected]>
<[email protected]>
| MIME-Version: 1.0
| Content-Type: text/plain
| Content-Transfer-Encoding: 7bit
| From: (e-mail address removed) ("Ken Zhao [MSFT]")
| Organization: Microsoft
| Date: Mon, 03 Dec 2007 07:50:45 GMT
| Subject: Re: Removing local users from local administrator group
| X-Tomcat-NG: microsoft.public.win2000.group_policy
| Message-ID: <[email protected]>
| Newsgroups: microsoft.public.win2000.group_policy
| Lines: 54
| Path: TK2MSFTNGHUB02.phx.gbl
| Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.win2000.group_policy:1039
| NNTP-Posting-Host: TOMCATIMPORT1 10.201.218.122
|
| Thanks Mark!
|
| Thanks & Regards,
|
| Ken Zhao
|
| Microsoft Online Support
| Microsoft Global Technical Support Center
|
| Get Secure! - www.microsoft.com/security
<http://www.microsoft.com/security>
| ====================================================
| When responding to posts, please "Reply to Group" via your newsreader so
| that others may learn and benefit from your issue.
| ====================================================
| This posting is provided "AS IS" with no warranties, and confers no
rights.
|
|
|
|
| --------------------
| | Date: Fri, 30 Nov 2007 10:31:31 +0100
| | From: "Mark Heitbrink [MVP]" <[email protected]>
| | User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.8.0.5)
| Gecko/20060719 Thunderbird/1.5.0.5 Mnenhy/0.7.4.0
| | MIME-Version: 1.0
| | Subject: Re: Removing local users from local administrator group
| | References: <#[email protected]>
| <[email protected]>
| | In-Reply-To: <[email protected]>
| | Content-Type: text/plain; charset=ISO-8859-1
| | Content-Transfer-Encoding: 7bit
| | Message-ID: <[email protected]>
| | Newsgroups: microsoft.public.win2000.group_policy
| | NNTP-Posting-Host: connect.cs-result.de 213.23.59.30
| | Lines: 1
| | Path: TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP03.phx.gbl
| | Xref: TK2MSFTNGHUB02.phx.gbl
microsoft.public.win2000.group_policy:1037
| | X-Tomcat-NG: microsoft.public.win2000.group_policy
| |
| | Hi,
| |
| | Ken Zhao [MSFT] schrieb:
| | > [Restricted Groups]
| | > 1. Create an OU including all user accounts you want to move from
local
| | > administrators group.
| |
| | ... just to get a nice and sorted overview :-)
| | But you need to apply the GPO to all the computer accounts, that
should
be
| | reseted. So Step 1a.)
| | - create a OU and move all the computers to it ...
| | - link and create the GPO on this OU
| | - use restricted groups
| |
| | Mark
| | --
| | Mark Heitbrink - MVP Windows Server - Group Policy
| |
| | Homepage: www.gruppenrichtlinien.de - deutsch
| | Blog: gpupdate.spaces.live.com - english
| |
|
|
Click to expand...
 
Hi Apollo,

Thanks for your response. Does it help?

Thanks & Regards,

Ken Zhao

Microsoft Online Support
Microsoft Global Technical Support Center

Get Secure! - www.microsoft.com/security <http://www.microsoft.com/security>
====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.





--------------------
| From: "Apollo" <[email protected]>
| References: <#[email protected]>
<[email protected]>
<[email protected]>
<[email protected]>
<bMyc3c#[email protected]>
| Subject: Re: Removing local users from local administrator group
| Date: Wed, 6 Feb 2008 17:25:25 -0000
| Lines: 123
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.3790.3959
| X-RFC2646: Format=Flowed; Original
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198
| Message-ID: <#[email protected]>
| Newsgroups: microsoft.public.win2000.group_policy
| NNTP-Posting-Host: host81-133-224-29.in-addr.btopenworld.com 81.133.224.29
| Path: TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP06.phx.gbl
| Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.win2000.group_policy:1104
| X-Tomcat-NG: microsoft.public.win2000.group_policy
|
| No all done thatks.
|
|
| Apollo
|
| | > Hi,
| >
| > I am just writing to see how everything is going. If you have any
updates
| > or need any further assistance on this issue, please feel free to let me
| > know.
| >
| > Thanks & Regards,
| >
| > Ken Zhao
| >
| > Microsoft Online Support
| > Microsoft Global Technical Support Center
| >
| > Get Secure! - www.microsoft.com/security
| > <http://www.microsoft.com/security>
| > ====================================================
| > When responding to posts, please "Reply to Group" via your newsreader so
| > that others may learn and benefit from your issue.
| > ====================================================
| > This posting is provided "AS IS" with no warranties, and confers no
| > rights.
| >
| >
| >
| >
| > --------------------
| > | X-Tomcat-ID: 66558353
| > | References: <#[email protected]>
| > <[email protected]>
| > <[email protected]>
| > | MIME-Version: 1.0
| > | Content-Type: text/plain
| > | Content-Transfer-Encoding: 7bit
| > | From: (e-mail address removed) ("Ken Zhao [MSFT]")
| > | Organization: Microsoft
| > | Date: Mon, 03 Dec 2007 07:50:45 GMT
| > | Subject: Re: Removing local users from local administrator group
| > | X-Tomcat-NG: microsoft.public.win2000.group_policy
| > | Message-ID: <[email protected]>
| > | Newsgroups: microsoft.public.win2000.group_policy
| > | Lines: 54
| > | Path: TK2MSFTNGHUB02.phx.gbl
| > | Xref: TK2MSFTNGHUB02.phx.gbl
microsoft.public.win2000.group_policy:1039
| > | NNTP-Posting-Host: TOMCATIMPORT1 10.201.218.122
| > |
| > | Thanks Mark!
| > |
| > | Thanks & Regards,
| > |
| > | Ken Zhao
| > |
| > | Microsoft Online Support
| > | Microsoft Global Technical Support Center
| > |
| > | Get Secure! - www.microsoft.com/security
| > <http://www.microsoft.com/security>
| > | ====================================================
| > | When responding to posts, please "Reply to Group" via your newsreader
so
| > | that others may learn and benefit from your issue.
| > | ====================================================
| > | This posting is provided "AS IS" with no warranties, and confers no
| > rights.
| > |
| > |
| > |
| > |
| > | --------------------
| > | | Date: Fri, 30 Nov 2007 10:31:31 +0100
| > | | From: "Mark Heitbrink [MVP]" <[email protected]>
| > | | User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.8.0.5)
| > | Gecko/20060719 Thunderbird/1.5.0.5 Mnenhy/0.7.4.0
| > | | MIME-Version: 1.0
| > | | Subject: Re: Removing local users from local administrator group
| > | | References: <#[email protected]>
| > | <[email protected]>
| > | | In-Reply-To: <[email protected]>
| > | | Content-Type: text/plain; charset=ISO-8859-1
| > | | Content-Transfer-Encoding: 7bit
| > | | Message-ID: <[email protected]>
| > | | Newsgroups: microsoft.public.win2000.group_policy
| > | | NNTP-Posting-Host: connect.cs-result.de 213.23.59.30
| > | | Lines: 1
| > | | Path:
TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP03.phx.gbl
| > | | Xref: TK2MSFTNGHUB02.phx.gbl
| > microsoft.public.win2000.group_policy:1037
| > | | X-Tomcat-NG: microsoft.public.win2000.group_policy
| > | |
| > | | Hi,
| > | |
| > | | Ken Zhao [MSFT] schrieb:
| > | | > [Restricted Groups]
| > | | > 1. Create an OU including all user accounts you want to move from
| > local
| > | | > administrators group.
| > | |
| > | | ... just to get a nice and sorted overview :-)
| > | | But you need to apply the GPO to all the computer accounts, that
| > should
| > be
| > | | reseted. So Step 1a.)
| > | | - create a OU and move all the computers to it ...
| > | | - link and create the GPO on this OU
| > | | - use restricted groups
| > | |
| > | | Mark
| > | | --
| > | | Mark Heitbrink - MVP Windows Server - Group Policy
| > | |
| > | | Homepage: www.gruppenrichtlinien.de - deutsch
| > | | Blog: gpupdate.spaces.live.com - english
| > | |
| > |
| > |
| >
|
|
|
 
Back
Top