At my company, users are administrators of their workstations. To enhance desktop security, however, I need to remove other users from the local Administrators group on each computer. How can I accomplish this task without visiting each computer and manually deleting the users?
Group policy comes to the rescue here. In Group Policy Objects (GPOs), the Restricted Groups folder under \computer configuration\windows settings\security settings contains options that let you control group membership for local groups on the workstations and member servers in your domain. To accomplish your job, create and edit a GPO that you'll apply to all the workstations that need the change. For example, if you edit Default Domain Policy, your change will apply to all computers in the domain unless a lower GPO specifies a policy for the same group. (See the preceding Q&A, InstantDoc ID 21295.) To remove users from their local Administrators group, maneuver to the Restricted Groups folder, right-click, select Action, then select Add Group. Enter the name of the local group whose membership you want to control—in this case, Administrators. A policy named for the group will appear in the details pane, as Figure 1 shows. Double-click the policy to display the dialog box that Figure 2 shows. Click Add, then click Browse. Select Domain Admins, then click OK to close all the dialog boxes.
This policy will cause your domain's member servers and workstations to delete any members other than Domain Admins from each computer's local Administrators group. To verify your change, log on to a member server or workstation in your domain, then at a command prompt, type
secedit /refreshpolicy machine_policy
This command applies group policy immediately instead of waiting for the next typical refresh, which could be as long as 2 hours away. Next, open the Microsoft Management Console (MMC) Computer Management snap-in, then maneuver to Local Users and Groups. You'll now see only Domain Admins and the local Administrator user account as members of Administrators. You still find the local Administrator account because this user is a built-in member of Administrators, and you can't delete that account.
