[gptalk] Re: Local User Account

  • From: "Ryan Bannon" <ryanbannon@xxxxxxxxxxxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Mon, 24 Nov 2008 10:48:35 -0500

Andrew,

 

Absolutely that would be a bad day.  I have been testing it and it seems
to work correctly.  I will be doing more testing with each department
and any specific programs they use.  Right now for the basic operations
of the computer and the company wide programs, it works perfect right
now.  Thanks for the tip.

 

Thanks,

 

Ryan

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Andrew McHale
Sent: Monday, November 24, 2008 10:42 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Local User Account

 

Ryan,

 

A word of warning if I may.

 

A lot of 3rd party applications require certain levels of access to the
computer. For example, our accouting package requires write access to
its own installation folder inorder to save temp files.

 

Unfortunately we are like you were with the small company attitude (we
total 25 people) and so everyone has local admin access to their own
machine (think happy thoughts Darren!). When I tried to take this away
from a test user the application stopped working until I gave that user
specific write permissions to this particular folder.

 

So, in short, test what will happen if you take this level of access
away from your users before you do it company wide. 250 computers all
with faulting applications would be a serisouly bad day at the office
for you!

 

Andrew

 

 

 

From: Ryan Bannon [mailto:ryanbannon@xxxxxxxxxxxxxxxxxxx] 
Sent: 24 November 2008 15:36
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Local User Account

 

Darren,

 

Very cool.  Thanks for your help.  I have been working on a new Group
Policy for our company for a few months now and I wish I would have
found this sooner.  I appreciate it.

 

Thanks,

 

Ryan

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Darren Mar-Elia
Sent: Monday, November 24, 2008 10:28 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Local User Account

 

Ryan-

Check out the whitepaper on my site about GPP
(http://www.gpoguy.com/Group-Policy-Whitepapers.aspx). Its basically a
free-add on that MS provides to give you additional capabilities within
GP. However, in your scenario, if you are trying to remove a unique user
account from the local Administrator's group on each machine, GPP won't
help you. But, since your users are already administrators, you could
create a simple GP-based logon script that lets them remove themselves
from local administrators. Some thing like this would work:

 

Net localgroup administrators %username% /delete

 

Should work. Once the user re-logs in, then they will no longer be in
Local Administrators.

 

Darren

 

 

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Ryan Bannon
Sent: Monday, November 24, 2008 7:18 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Local User Account

 

Darren,

 

For the most part everyone is a local admin.  We have had a small
company mentality for quite a while, but now we have grown pretty
rapidly over the last few years, and now are getting a larger profile in
the industry, so we wanted to lock down our pc's and not let users do
that much.  So one of the steps is not giving them local admin rights to
their pc's.  So what is the Group Policy Preferences'?  Is that an add
on program or snap-in?  And can it be added after having a Group Policy
already in place?

 

Thanks,

 

Ryan

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Darren Mar-Elia
Sent: Monday, November 24, 2008 9:51 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Local User Account

 

Ryan-

Yes, this is a perfect job for Group Policy Preferences' Local Users and
Groups feature if you have rolled out GPP. If you haven't then you would
probably have to use a computer startup script to do it. Is the local
user account different on every machine? 

 

Darren

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Ryan Bannon
Sent: Monday, November 24, 2008 6:34 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Local User Account

 

I am looking for a way to change the local user account type for our
computers.  Right now we have them as local administrators, but we want
to change that to just a local user.  We have around 250 computer, so I
don't want to have to do it manually.  Is there a way to do this with
Group Policy?

 

Thanks,

 

Ryan Bannon

IT Support Technician

Pioneer Surgical Technology

 

Other related posts: