nav[aria-label="Primary Navigation"] { padding: 0; & ul { list-style: none; width: 100%; display: flex; flex-direction: row; justify-content: start; align-items: start; gap: 30px; padding: 0; & li { margin: 0; } & ul li { list-style: none; } } }

Group Policy Question??

billybob01

I need to search all our workstations for any employee who is in the Local Administrators Group and if they are to take them out and move them to the Power Users Group. Can this be done using GPP?

Find more posts tagged with

SAVE $250 on Your Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View Boot Camps

Comments

pham0329

I know you can add users to the local admin via gpo using the restricted groups setting, but I don't think you can remove specific users. Your best bet would probably be a startup script.

billybob01

pham0329 wrote: »

I know you can add users to the local admin via gpo using the restricted groups setting, but I don't think you can remove specific users. Your best bet would probably be a startup script.

Yes, you can add or remove users using Group Policy Preferences. I am looking into wether you can use an LDAP query with GPP to search all workstations and if a user is a memeber of the Local Admin group to remove them and add them to the Power users group.

pham0329

Ah, sorry, misread the post. I still think a startup script is the best option.

-Foxer-

You could probably do it relatively easy with powershell. That's what I would look into.

blargoe

pham0329 wrote: »

I know you can add users to the local admin via gpo using the restricted groups setting, but I don't think you can remove specific users. Your best bet would probably be a startup script.

You could use a restricted groups setting to enforce 1)Administrators group only consists of a list of users, or 2) certain users are always members of the Administrators group. It could help you make the Administrators group standardized and remove the users that you do not want to be in there, but I don't know of a way in Restricted Groups or GPP to make the primary user of that computer be in the Power Users group, other than, of course the start up script already mentioned.