Group Policy to remove local administrator rights on users computer(s) is not working. Single Forest Multiple Domain Environment

Question

Hello, I attempted to use this method to remove some of our users have have local admin rights. I'm attempting to do this to help secure our environment.

Group Policy Preferences -> Computer Configuration -> Preferences -> Control Panel Settings -> Local Users and Groups -> New -> Local Group -> Action: Update -> Group Name: Administrators (built-in) -> Members: Add... (pick Sally / check name / return) -> Action: Remove from this group -> OK -> OK.

On one of my DC's I created this specific policy:

Then I added all the users I want to be removed from the local administrator group and replicated this policy out to the other DC's. I also told the policy to add back a specific account we'd like to retain for LAPS (to be able to logon to the machine with this account as an admin if it looses it's Domain trust or is not on the internal corporate network) .

Here's a screen shot if that helps.

Currently I only have this Group Policy Active / Linked on one of my OU's for our European users. I was assuming that once the users reboot that are part of my policy that it will remove their local admin rights. However, this does not appear to be working at all. I've observed what appears to be a few of this users reboot based on my monitoring tools yet they still have local administrator rights. I also attempted to "Enforce" this recently to see if that helps.

Appreciate any insight or information on.

Answer 1

Hello Chris (Stolle).,

Thank you for your reply.

Based on the information above,

***Group Policy Preferences -> Computer Configuration -> Preferences -> Control Panel Settings -> Local Users and Groups -> New -> Local Group -> Action: Update -> Group Name: Administrators (built-in) -> Members: Add... (pick Sally / check name / return) -> Action: Remove from this group -> OK -> OK.***Because you configured the computer configurations (not the user configurations), you should link to OU with Computer objects.

Hi Daisy or anyone else. Just to clarify. Are you saying that I should just link my EUC: Remove Local Admin rights from users to the "Computers" OU like this?
A: Yes

Or do I need to add the individual users Computers to the OU under the security filtering? I currently do not have any of the users computers listed under the security filtering. I only have all their username I want removed from the Local Admin group within the policy I pasted in my original post.
**A: For "security filtering", we should keep the default "Authenticated Users".**Since I only have the username within this policy should I move my policy to the OU > Location > Users? No

Or should I keep the Policy in the Computers OU for the location and add the individual users computers? You should link to OU with Computer objects.

---

If there is any question or concern, please feel free to let us know.

Best Regards,
Daisy Zhou

Answer 2

Hello Chris (Stolle).,

Thank you for posting in Microsoft Community forum.
Currently I only have this Group Policy Active / Linked on one of my OU's for our European users.
A: Did you link the GPO to OU with computer machines? If no, you should put computer machines in the OU.

For checking Computer Configuration within gpresult, we can follow steps below.

Logon this machine using administrator account.

Open CMD (run as Administrator).

Type gpresult /h C:\gpo.html and click Enter.

Open gpo.html and check gpo setting under "Computer Details".

I hope the information above is helpful.

If there is any question or concern, please feel free to let us know.

Best Regards,
Daisy Zhou

Answer 3

Hello Daisy, thank you for the response. I actually noticed that the policy should be linked at the Computers OU level. I changed that and will monitor and report back to this thread.

Answer 4

Hi Daisy or anyone else. Just to clarify. Are you saying that I should just link my EUC: Remove Local Admin rights from users to the "Computers" OU like this?

Or do I need to add the individual users Computers to the OU under the security filtering? I currently do not have any of the users computers listed under the security filtering. I only have all their username I want removed from the Local Admin group within the policy I pasted in my original post.

>

Since I only have the username within this policy should I move my policy to the OU > Location > Users?

Or should I keep the Policy in the Computers OU for the location and add the individual users computers?

Appreciate any additional insight or information.

Answer 5

Hello Daisy Zhou. Thanks again for this valuable information! Just to clarify, I currently have my EUC: Remove Local Admin rights from users policy applied to the various OU > Computers GPO's. I only have the link active for my UK users currently since I want to test to verify it's working for those users and removing their admin rights. I'm adding the users individual computers to the policy.

However, I didn't add "Authenticated Users" to this policy because I was worried it might apply to all users within our Domain? Is that not accurate?

This is what it looks in the Group Policy Management.

And if I click Edit on this Policy - I have the individual user names I want removed from the local admin group.

Once the users reboot at the UK location where I have this policy enabled I'm assuming it will remove their user ID from the local admin group. Does this look right? Thanks again for your help!