Sign in with
Sign up | Sign in
Your question

Revoke local admin rights

Last response: in Windows 2000/NT
Share
Anonymous
May 6, 2004 8:43:33 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Hi all,

we have a situation where our client machines (100-ish) log on to their
machines with administrative rights (yeah, I know). After a spate of issues
with adware etc, I'd really like to revoke their privileges somewhat, either
by literally taking away install rights, or by finding a way to convert them
to ordinary non-admin accounts (pref. permanently). Is this possible, or am
I in for a long walk round the office? :o )

Cheers and thanks in advance, Martin H.

martin@horzle.co.uk
Anonymous
May 6, 2004 8:43:34 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Martin,

Take a look at the Restricted Groups GPO. That might save you a few steps!

Cary

"Martin Horsley" <Martin.Horsley@apsmortgages.co.uk> wrote in message
news:o %23XJQE4MEHA.4016@TK2MSFTNGP10.phx.gbl...
> Hi all,
>
> we have a situation where our client machines (100-ish) log on to their
> machines with administrative rights (yeah, I know). After a spate of
issues
> with adware etc, I'd really like to revoke their privileges somewhat,
either
> by literally taking away install rights, or by finding a way to convert
them
> to ordinary non-admin accounts (pref. permanently). Is this possible, or
am
> I in for a long walk round the office? :o )
>
> Cheers and thanks in advance, Martin H.
>
> martin@horzle.co.uk
>
>
Anonymous
May 6, 2004 10:06:02 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Ah thanks very much for the speedy response!

So (and I warn now, this is all new, and we will buy a book on it and do it
properly, just just right now we've got desktops covered in adverts and so
forth that are more pressing for the company than buying me training :o ))
I'm in the GP editor on the PDC, in computer conf > Windows settings >
security settings > restricted groups? And what can I actually "do" in
there?
All the users are Domain Users, and so if they roam to a PC where there
account is not admin, then we have no problem. It's only when they're on
their 'home' machines where they have been set as admins that we have the
problem. I don't understand how I can make the Domain Users group be
restricted by some other group, when really that isn't what is giving them
Admin privileges anyway, it's the fact that they are admins on their local
machines.

Cheers, Martin H.


"Cary Shultz [A.D. MVP]" <cwshultz@mvps.org> wrote in message
news:o J1mOL4MEHA.2676@TK2MSFTNGP12.phx.gbl...
> Martin,
>
> Take a look at the Restricted Groups GPO. That might save you a few
steps!
>
> Cary
>
> "Martin Horsley" <Martin.Horsley@apsmortgages.co.uk> wrote in message
> news:o %23XJQE4MEHA.4016@TK2MSFTNGP10.phx.gbl...
> > Hi all,
> >
> > we have a situation where our client machines (100-ish) log on to their
> > machines with administrative rights (yeah, I know). After a spate of
> issues
> > with adware etc, I'd really like to revoke their privileges somewhat,
> either
> > by literally taking away install rights, or by finding a way to convert
> them
> > to ordinary non-admin accounts (pref. permanently). Is this possible, or
> am
> > I in for a long walk round the office? :o )
> >
> > Cheers and thanks in advance, Martin H.
> >
> > martin@horzle.co.uk
> >
> >
>
>
Anonymous
May 6, 2004 11:49:52 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Not much!

You actually need to install the adminpak.msi on a WIN2000 workstation and
do the rest from there. Here are some links that I should have initially
included:

http://support.microsoft.com/?id=320065 ( you can change 'Administrators'
to any of the other groups, such as 'Power Users' if you need )


For additional information, take a look at these:

http://support.microsoft.com/?id=320045
http://support.microsoft.com/?id=279301
http://support.microsoft.com/?id=228496

And you might want to take a look at this:
http://support.microsoft.com/?id=810076

This is because according to 228496 whichever user or group accounts were a
member of 'Adminsitrators' - in your example - are kicked out / replaced by
the Restricted Group that you create. Think about Domain Admins....

HTH,

Cary

"Martin Horsley" <Martin.Horsley@apsmortgages.co.uk> wrote in message
news:ua10Wy4MEHA.3052@TK2MSFTNGP12.phx.gbl...
> Ah thanks very much for the speedy response!
>
> So (and I warn now, this is all new, and we will buy a book on it and do
it
> properly, just just right now we've got desktops covered in adverts and so
> forth that are more pressing for the company than buying me training :o ))
> I'm in the GP editor on the PDC, in computer conf > Windows settings >
> security settings > restricted groups? And what can I actually "do" in
> there?
> All the users are Domain Users, and so if they roam to a PC where there
> account is not admin, then we have no problem. It's only when they're on
> their 'home' machines where they have been set as admins that we have the
> problem. I don't understand how I can make the Domain Users group be
> restricted by some other group, when really that isn't what is giving them
> Admin privileges anyway, it's the fact that they are admins on their local
> machines.
>
> Cheers, Martin H.
>
>
> "Cary Shultz [A.D. MVP]" <cwshultz@mvps.org> wrote in message
> news:o J1mOL4MEHA.2676@TK2MSFTNGP12.phx.gbl...
> > Martin,
> >
> > Take a look at the Restricted Groups GPO. That might save you a few
> steps!
> >
> > Cary
> >
> > "Martin Horsley" <Martin.Horsley@apsmortgages.co.uk> wrote in message
> > news:o %23XJQE4MEHA.4016@TK2MSFTNGP10.phx.gbl...
> > > Hi all,
> > >
> > > we have a situation where our client machines (100-ish) log on to
their
> > > machines with administrative rights (yeah, I know). After a spate of
> > issues
> > > with adware etc, I'd really like to revoke their privileges somewhat,
> > either
> > > by literally taking away install rights, or by finding a way to
convert
> > them
> > > to ordinary non-admin accounts (pref. permanently). Is this possible,
or
> > am
> > > I in for a long walk round the office? :o )
> > >
> > > Cheers and thanks in advance, Martin H.
> > >
> > > martin@horzle.co.uk
> > >
> > >
> >
> >
>
>
!