Group Policy Question??

billybob01 · October 2011

I need to search all our workstations for any employee who is in the Local Administrators Group and if they are to take them out and move them to the Power Users Group. Can this be done using GPP?

pham0329 · October 2011

I know you can add users to the local admin via gpo using the restricted groups setting, but I don't think you can remove specific users. Your best bet would probably be a startup script.

billybob01 · October 2011

pham0329 wrote: »

I know you can add users to the local admin via gpo using the restricted groups setting, but I don't think you can remove specific users. Your best bet would probably be a startup script.

Yes, you can add or remove users using Group Policy Preferences. I am looking into wether you can use an LDAP query with GPP to search all workstations and if a user is a memeber of the Local Admin group to remove them and add them to the Power users group.

pham0329 · October 2011

Ah, sorry, misread the post. I still think a startup script is the best option.

-Foxer- · October 2011

You could probably do it relatively easy with powershell. That's what I would look into.

blargoe · October 2011

pham0329 wrote: »

I know you can add users to the local admin via gpo using the restricted groups setting, but I don't think you can remove specific users. Your best bet would probably be a startup script.

You could use a restricted groups setting to enforce 1)Administrators group only consists of a list of users, or 2) certain users are always members of the Administrators group. It could help you make the Administrators group standardized and remove the users that you do not want to be in there, but I don't know of a way in Restricted Groups or GPP to make the primary user of that computer be in the Power Users group, other than, of course the start up script already mentioned.

Group Policy Question??

Comments