How to Remove Users from Local Administrator Group

How to Remove Users from Local Administrator Group

Removing Users From Local Administrators Group using GPO

End users who are members of a Windows local administrators group will have excessive amount of privileges such as the ability to install and run programs, reset passwords, disable users, change access permissions to file servers and more. This can lead to exploitation of privileges, which is a primary method attackers use to spread and gain control of systems inside an organization.
 
This is why it is crucial for administrators to monitor, manage, and cleanup this group’s membership across all Windows endpoints. Here's how you can can manage your local Administrators group to provide complete security. 

Using GPO to Remove Domain User Accounts

Launching Group Policy 
  1. Right click on the Computer OU and then Create a GPO in this domain, and link it.
  2. Provide a name for the GPO and click OK.
  3. Right click on the newly created GPO and select Edit.
  4. Navigate to Computer Configuration and click on Preferences.
  5. Click on Control Panel Settings and select Local Users and Groups.
  6. Right-click in the right side window and select New, and then click on Local Group.
  7. Update the following setting and then click OK.    
  1. Action: Update
  2. Group Name: Administrators (built-in)
  3. Delete All member users (Checked)
  4. Delete all member groups (Checked) 
This will remove all local users and groups from the Local Administrators group. You can then proceed by adding the built-in administrator account and domain admins groups to this local administrator group.

    • Related Articles

    • LAPS - Manage Local Administrator Passwords on Domain Computers

      What is Local Administrator Password Solution (LAPS)? The Local Administrator Password Solution, generally abbreviated as LAPS, is a tool developed by Microsoft to manage local administrator passwords on Windows computers. Since the local ...

    • How to Create a Group Policy to Disable USB Port for all Users except Local Administrators

      How to Create a Group Policy to Disable USB Port for all Users except Local Administrators It is thus considered a safe practice to restrict USB access to all users except the administrators. This can be done with the help of Active Directory Group ...

    • Microsoft LAPS - Local Administrator Password Solution | An Introduction

      What is LAPS - Local Administrator Password Solution? Local administrators logging on to computers in the network don't have to do so without the domain credentials. This can make password management quite tricky and can greatly increase the risk of ...

    • How to create a Group Policy to Force Logoff Users

      Force Logoff Users after Inactivity using Active Directory Group Policy In an organization with many user accounts, some users might forget to log off from the server. Sometimes users may be logged in long after their work has been completed. Besides ...

    • Different Group Policy Settings

      Group Policy includes policy settings that affect both Users and Computers. The settings under Computer Configuration control how the computer is configured. The settings under User configuration control the user’s log on session. Settings configured ...