Thursday, June 9, 2011

Restrict the members of local administrator group by Group Policy Preference

In Windows Server 2008 or above environment, there are 2 method to control the members of users group by Group Policy Restricted Group and Group Policy Preference.

Both settings in a Group Policy could remove unauthorized members from a security group.

Using Group Policy Preference
1. At Domain Controller, log in as Domain Administrator.
2. Launch "Group Policy Management Console".
3. Right-click a group policy which is assigned to the computers, select "Edit".
4. Expand "Computer Configuration > Preferences > Control Panel Settings > Local Users and Groups".
5. Right-click "Local Users and Groups", select "New > Local Group".
6. Next to "Action", select "Update".
7. Next to "Group name", select "Administrators (built-in)".
8. Check "Delete all member users" and "Delete all member groups".
9. Click "Add".
10. Press [F3].


You can select a variable which is suitable for your environment.

11. Select "DomainName", click "Select".
12. At "Name", type "\Domain Admins".


13. Click "OK".
14. Click "Add".
15. At "Name", type "BuiltIn\Administrator".
16. Click "OK".


Remark: Make sure that you must add the domain groups or users before adding "BuiltIn\Administrator".

Remark: You might need to copy the description of local administrator and paste it in Description field.

17. Click "OK".
18. Close "Group Policy Management Editor".

After the policy is applied, the members of local administrator group are restricted.

Reference:

This posting is provided “AS IS” with no warranties, and confers no rights!

4 comments:

  1. On non-english systems I also have to use "BuiltIn\Administrator" ?

    ReplyDelete
    Replies
    1. "BuiltIn\Administrator" is the built in local administrator in computers. It supports in other language systems.

      Delete
  2. Why must domain users and groups be added first (Before the builtin Administrator account)? I fear I am missing something as to why that is needed.

    ReplyDelete
    Replies
    1. Base on my testing, if "Builtin\Administrator" is added before adding domain groups or domain users, domain groups and domain users aren't applied to the group.

      Delete