Group Policy Remove Administrator Rights

(Last Updated On: 2019-08-07)

Looking after any Network environment is a daunting task at best. Not only do you have to protect from External attacks but Internal Users aswell.
Yes, I am talking about that Sales Person that required USB access once because he needs information from a Client. Now the laptop is being used to watch movies at night and this requires a new codec to play. Oops… you’re infected.

Using Group Policy’s to Remove Admin Rights is one of the most important security controls to prevent users from installing unwanted software. On top of this, it also prevents software from un-knowingly doing something on the computer.

Creating the Group Policy

Creating the GPO is a two-step process. Step one is to remove all Users and Groups Currently assigned in the Administrator Group. Step Two is to assign access to the required groups back. IT still needs access to do their work.

  1. Open Server Manager -> Tools
  2. Group Policy Management
  3. Browse to the Group Policy Objects in the required Domain
  4. Right Click and New
  5. Give the GPO and Appropriate Name (Ex: Remove Admin Right)
  6. Right Click the New Policy and Edit
  7. Browse to Computer Configuration -> Preferences
  8. Control Panel Settings
  9. Local Users and Groups
Group Policy Object
Computer Configuration
Remove Administrator Rights

Step One

  1. Right Click -> All Tasks -> Add
  2. Action : Update
  3. Group Name: Administrators (Built-in)
  4. Tick Both:
    1. Delete all member users
    2. Delete all member groups
  5. Click Apply and OK
Remove Administrator Rights

Step Two

  1. Right Click -> All Tasks -> Add
  2. Action : Update
  3. Group Name: Administrators (Built-in)
  4. Click Add and Search for the Group: Domain Admins
    If you have different Admin Groups assign the required Group
  5. Click Add and Type Administrator
    If you Rename the Administrator for Local workstations Type the name of the Renamed Administrator
Add Admin Rights

Issues and Solutions

People tend to not understand the risk when it comes to making these type of changes. The best recommendation is to make sure you as the IT administrator know what applications is on the user’s Machines.

Knowing this can help you plan your corresponding GPO’s.
As an example, certain software requires admin privileges to the installed location. In this case, I suggest creating a GPO that allows Domain Users Full Control over that specific folder. This still greatly reduces the potential attack surface for any malicious software.

If you have “Entitled” Users use Limited Administrator Groups like Power Users. Although they will still have certain Admin Rights less is always more when it comes to Security.

If you liked what you read Please Share.

I’d love it if you followed me on Twitter and Facebook.

Also, feel free to subscribe to my posts by email. Thanks for reading.

Spread the love

Leave a Reply

Your email address will not be published. Required fields are marked *