RE: Remove domain user from local administrators group

From: Arek Słomiński (aslom_at_paytel.pl)
Date: 10/13/04

  • Next message: Sullivan Tim P: "RE: Can we really block users from installing applications through Group policy?" 
    Date: Wed, 13 Oct 2004 15:27:04 +0200
To: <focus-ms@securityfocus.com>

    > -----Original Message-----
    > From: chang zhu [mailto:cyz2000@yahoo.com]
    > Sent: Tuesday, October 12, 2004 5:17 PM
    > To: focus-ms@securityfocus.com
    > Subject: Remove domain user from local administrators group
    >
    > Hi,all
    >
    > I just went to this new company and found out that each
    > domain user is assigned to local administrators group.
    >
    > We need to remove domain user from local administrators
    > group. Is there any MS utility that allows to do this
    > instead of going to each workstation
    >
    > to remove and assign them to Power Users group?
    >

    Hi,

    You can prepare logon script which uses tools like setacl from Reskit and attach in the GPO for machines you want to delete the Domain Admins group.

    Regards
    Arek

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------

  • Next message: Sullivan Tim P: "RE: Can we really block users from installing applications through Group policy?"

    Relevant Pages

    • need help with OpenDSObject
      ... I am writing an HTA that will allow me to add a domain user to the ... local Administrators group and can be run even as a lowly user provided ... Sub Promote ... Set objGroup = objDSO.OpenDSObject ...
      (microsoft.public.scripting.vbscript)
    • Re: Question about group
      ... It would mean that domain user can log on to any computer and get admin rights to ... adding the built-in role "INTERACTIVE" to the local Administrators group. ...
      (microsoft.public.win2000.security)
    • script to add multple users to local admin group on servers
      ... ' Script to add domain user to local administrators group ... Dim strUser, objUser, objGroup, objFSO, objTextStream ... ' Bind to local Administrators group on remote computer. ... On Error GoTo 0 ...
      (microsoft.public.windows.server.scripting)
    • RE: Add AD user to localgroup
      ... if your script runs locally on a Win2k or WinXP workstation, you can use the following code (please note that you can still use the ADSI WinNT: provider to access objects in an Active Directory domain): ... ' bind to the local Administrators group ... add the domain user to the local group ...
      (microsoft.public.scripting.vbscript)
    • Re: Prevent user to install software
      ... >member of the computer's local Administrators group how ... >domain user account could be prevented from installing ... If your domain user account object is a member ... >assuming that you are trying to install software and are ...
      (microsoft.public.win2000.group_policy)
    • Quantcast