[gptalk] Re: Local User Account

  • From: "Darren Mar-Elia" <darren@xxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Mon, 24 Nov 2008 07:27:37 -0800

Ryan-

Check out the whitepaper on my site about GPP
(http://www.gpoguy.com/Group-Policy-Whitepapers.aspx). Its basically a
free-add on that MS provides to give you additional capabilities within GP.
However, in your scenario, if you are trying to remove a unique user account
from the local Administrator's group on each machine, GPP won't help you.
But, since your users are already administrators, you could create a simple
GP-based logon script that lets them remove themselves from local
administrators. Some thing like this would work:

 

Net localgroup administrators %username% /delete

 

Should work. Once the user re-logs in, then they will no longer be in Local
Administrators.

 

Darren

 

 

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Ryan Bannon
Sent: Monday, November 24, 2008 7:18 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Local User Account

 

Darren,

 

For the most part everyone is a local admin.  We have had a small company
mentality for quite a while, but now we have grown pretty rapidly over the
last few years, and now are getting a larger profile in the industry, so we
wanted to lock down our pc's and not let users do that much.  So one of the
steps is not giving them local admin rights to their pc's.  So what is the
Group Policy Preferences'?  Is that an add on program or snap-in?  And can
it be added after having a Group Policy already in place?

 

Thanks,

 

Ryan

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Darren Mar-Elia
Sent: Monday, November 24, 2008 9:51 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Local User Account

 

Ryan-

Yes, this is a perfect job for Group Policy Preferences' Local Users and
Groups feature if you have rolled out GPP. If you haven't then you would
probably have to use a computer startup script to do it. Is the local user
account different on every machine? 

 

Darren

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Ryan Bannon
Sent: Monday, November 24, 2008 6:34 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Local User Account

 

I am looking for a way to change the local user account type for our
computers.  Right now we have them as local administrators, but we want to
change that to just a local user.  We have around 250 computer, so I don't
want to have to do it manually.  Is there a way to do this with Group
Policy?

 

Thanks,

 

Ryan Bannon

IT Support Technician

Pioneer Surgical Technology

 

Other related posts: