Andrew, Absolutely that would be a bad day. I have been testing it and it seems to work correctly. I will be doing more testing with each department and any specific programs they use. Right now for the basic operations of the computer and the company wide programs, it works perfect right now. Thanks for the tip. Thanks, Ryan From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Andrew McHale Sent: Monday, November 24, 2008 10:42 AM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: Local User Account Ryan, A word of warning if I may. A lot of 3rd party applications require certain levels of access to the computer. For example, our accouting package requires write access to its own installation folder inorder to save temp files. Unfortunately we are like you were with the small company attitude (we total 25 people) and so everyone has local admin access to their own machine (think happy thoughts Darren!). When I tried to take this away from a test user the application stopped working until I gave that user specific write permissions to this particular folder. So, in short, test what will happen if you take this level of access away from your users before you do it company wide. 250 computers all with faulting applications would be a serisouly bad day at the office for you! Andrew From: Ryan Bannon [mailto:ryanbannon@xxxxxxxxxxxxxxxxxxx] Sent: 24 November 2008 15:36 To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: Local User Account Darren, Very cool. Thanks for your help. I have been working on a new Group Policy for our company for a few months now and I wish I would have found this sooner. I appreciate it. Thanks, Ryan From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Darren Mar-Elia Sent: Monday, November 24, 2008 10:28 AM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: Local User Account Ryan- Check out the whitepaper on my site about GPP (http://www.gpoguy.com/Group-Policy-Whitepapers.aspx). Its basically a free-add on that MS provides to give you additional capabilities within GP. However, in your scenario, if you are trying to remove a unique user account from the local Administrator's group on each machine, GPP won't help you. But, since your users are already administrators, you could create a simple GP-based logon script that lets them remove themselves from local administrators. Some thing like this would work: Net localgroup administrators %username% /delete Should work. Once the user re-logs in, then they will no longer be in Local Administrators. Darren From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Ryan Bannon Sent: Monday, November 24, 2008 7:18 AM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: Local User Account Darren, For the most part everyone is a local admin. We have had a small company mentality for quite a while, but now we have grown pretty rapidly over the last few years, and now are getting a larger profile in the industry, so we wanted to lock down our pc's and not let users do that much. So one of the steps is not giving them local admin rights to their pc's. So what is the Group Policy Preferences'? Is that an add on program or snap-in? And can it be added after having a Group Policy already in place? Thanks, Ryan From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Darren Mar-Elia Sent: Monday, November 24, 2008 9:51 AM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Re: Local User Account Ryan- Yes, this is a perfect job for Group Policy Preferences' Local Users and Groups feature if you have rolled out GPP. If you haven't then you would probably have to use a computer startup script to do it. Is the local user account different on every machine? Darren From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Ryan Bannon Sent: Monday, November 24, 2008 6:34 AM To: gptalk@xxxxxxxxxxxxx Subject: [gptalk] Local User Account I am looking for a way to change the local user account type for our computers. Right now we have them as local administrators, but we want to change that to just a local user. We have around 250 computer, so I don't want to have to do it manually. Is there a way to do this with Group Policy? Thanks, Ryan Bannon IT Support Technician Pioneer Surgical Technology