NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > FOCUS-MS> 2004-q4

RE: Remove domain user from local administrators group

From: Sullivan Tim P (timnativemode.com)
Date: Tue Oct 12 2004 - 18:02:14 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Be careful using restricted groups.

I say this because the groups/users you specify will be the ONLY ones
that are members of the administrators group.

Meaning if you have this defined in your policy:

Admiistrators
Domainname\domain administrators

That will be the only groups listed. And it will be made this way at
every reboot/GPO refresh.

Im saying this because in my lab it caught me by surprise, and at first
thought a little backwards from how a norml GPO would work. But perhaps
this is exactly the solution you need.

On the flip side, I think a Vbscript based login script add on could
take care of this problem, or a VBScript and PSExec combination.

Tim

-----Original Message-----
From: Morosan, Bogdan [mailto:Bogdan.Morosanrompetrol.com]
Sent: Tuesday, October 12, 2004 10:33 AM
To: chang zhu; focus-mssecurityfocus.com
Subject: RE: Remove domain user from local administrators group

You can use Restricted Groups policy to control group membership.

http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs
/en-us/sag_scerestrictgroups.mspx

Bogi

> -----Original Message-----
> From: chang zhu [mailto:cyz2000yahoo.com]
> Sent: Tuesday, October 12, 2004 6:17 PM
> To: focus-mssecurityfocus.com
> Subject: Remove domain user from local administrators group
>
> Hi,all
>
> I just went to this new company and found out that each domain user is

> assigned to local administrators group.
>
> We need to remove domain user from local administrators group. Is
> there any MS utility that allows to do this instead of going to each
> workstation
>
> to remove and assign them to Power Users group?
>
> The environment is Win2K and XP.
>
> Thanks always,
>
> Chang
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
>
> --------------------------------------------------------------
> -------------
> --------------------------------------------------------------
> -------------
>
>
>

------------------------------------------------------------------------
---
------------------------------------------------------------------------
---

---------------------------------------------------------------------------
---------------------------------------------------------------------------

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]