In our Default Domain Policy, we have a Restricted Group. This is a domain group of users we want to be local admins on all PCs (such as my field techs). This is all set up and working.
Here's the problem - since this is part of the Default Domain Policy, *every* computer joined to the domain gets this setting, including ones that shouldn't (such as servers). Now, we keep all our various servers in 1 OU, a separate OU from all the client PCs. This Servers OU has it's own GPO (with blocked inheritance). My question: is there a way for this Servers GPO to be able to remove a Restricted Group, if it exists? This way, when we move a server machine account to the Servers OU, this LocalAdminsGroup won't exist as a member of the local Administrators group? I see references everywhere on how to add to the Restricted Group, but not how to remove it ... I don't want my field techs to have local admin access on the servers, only on the client PCs. Thanks
