You can replace the groups in the local administrators group. Be careful with this as you can inadvertently nuke accounts you did not intend to remove.
If you do this you must include every account you want in the local administrators account in the GPO. Here is a write up on using restricted groups in a GPO to replace or add to a local group on a system. http://rdpfiles.com/2011/04/11/managing-local-groups-with-group-policy/ Can you link the workstation admin GPO to just to the workstation OUs? Peter Boyles BIS Engineering Analyst PepsiCo Inc. | Global End User Services | GEUS Deploy Office: (972) 963-6578 | E-Mail: [email protected]<mailto:[email protected]> -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Michael Leone Sent: Tuesday, June 30, 2015 9:12 AM To: [email protected] Subject: [NTSysADM] Removing a Restricted Group via GPO In our Default Domain Policy, we have a Restricted Group. This is a domain group of users we want to be local admins on all PCs (such as my field techs). This is all set up and working. Here's the problem - since this is part of the Default Domain Policy, *every* computer joined to the domain gets this setting, including ones that shouldn't (such as servers). Now, we keep all our various servers in 1 OU, a separate OU from all the client PCs. This Servers OU has it's own GPO (with blocked inheritance). My question: is there a way for this Servers GPO to be able to remove a Restricted Group, if it exists? This way, when we move a server machine account to the Servers OU, this LocalAdminsGroup won't exist as a member of the local Administrators group? I see references everywhere on how to add to the Restricted Group, but not how to remove it ... I don't want my field techs to have local admin access on the servers, only on the client PCs. Thanks
