Replace admin privelages for domain users

Microsoft Windows server 2003
March 31, 2010 at 08:31:49
Specs: Windows XP
Hello: I am new to the group policy usage but i can usually find many of my answers on - but not this one...

In a domain/WinXp enviroment, I need a log on script to replace the "domain users" from the local administrative group. When the 800+ computers were origianlly configured, the helpdesk manually added this as part of the creation of each device. I need to replace admin privelages for obvious security reasons but unsure how to do so without visiting each device through out the country.

I still want users to have a lot of control of their respective node in order to minimize helpdesk support calls for simple issues the user's can correct themselves.

Any ideas? Thanks in advance

See More: Replace admin privelages for domain users

Report •

March 31, 2010 at 10:19:29
If Active Directory is in play (and it really should be), you should be able to make a startup script to perform the changes for you.

Report •

March 31, 2010 at 10:28:35
Razor: Thank you for the reply and you are correct. My question was asking for the script itself.


Report •

March 31, 2010 at 10:46:43
I need a log on script to replace the "domain users" from the local administrative group
Replace with what, exactly?

Report •

Related Solutions

March 31, 2010 at 12:41:23
I was thinking to replace "domain users" with the current logging in user. For example "domain\jsmith" will replace the "domain users" group in local administrative rights.

I realize this would be redundant but i plan on making an OU of allowable pc's for which this would occur. Should jsmith log onto a computer outside of the allowable group - he would only be a "user" and unable to harm network/pc.

I need to have the users to continue to have the access to address issues themselves as our helpdesk is a team of 4 and the users ar over 1500.

Thanks again for the prompt reply Razor!

Report •

March 31, 2010 at 12:58:20
Well, assuming the user is already seen as a local admin, this batch script should work as their logon script (Untested):
net localgroup administrators %userdomain%\%username% /add
net localgroup administrators "%userdomain%\domain users" /delete

Report •

April 8, 2010 at 06:54:35
Razor: Your script worked quite well and the Policy has been working great for almost a week now.

As a side job in addition to this I have been investigating how to modify the script so it purges previous additions to the local admin group. My network admin is worried the list will grow infinitely due to users utilizing multiple pc's and a high turn over rate. He would like to basically see "Administrator" ", "Domain admins" and the currently logged in user ONLY.


Report •

April 11, 2010 at 12:03:58
Yeah . . . That's not going to be an issue with that script. The reason is one of those things your Windows Administrator should know.

You see, logon scripts are run by userinit. This means they run in the context and with the authority of the user logging in. If they're not already recognized as having administrator rights, they cannot add themselves with a script.

You might need to re-consider what the demands are before you proceed.

(And if your IT user support is outnumbered 375:1, someone should probably hire more staff.)

Report •

April 11, 2010 at 12:41:09
There must be so many hits on Google, on this subject ... it's the most basic task to be performed by a Windows administrator.

Report •

Ask Question