Many times I come in environments, where it is normal that any user has a local administrator right on his computer. As you probably know (I hope), this is not the best practice and it is very dangerous from the point of security.
Anyway, removing all this users from all computers is an annoying job. Of course, you can do it via Group policy, but you can’t use a filter in case someone has to remain. For those cases, I wrote a small vbs script that you can use.
The usage is simple. Form the administrative command prompt change the directory to the place, where the script is located and run it: RemoveAdmin.vbs ComputerName. ComputerName is the name of the computer you want to check.
The script will have a look into local admin group and you will be asked for every member if you want to remove it or not. Simply, you can filter who will remain local admin and who will lost this privilege. Think twice before you leave this privilege to a user member of local admin group – remove it, if you don’t have a really good reason to keep it.
Download: RemoveAdmin
.
If you use a GPO to do this, while you cannot use a filter, you can use security to do the same thing. You can add the user account or PC account to the advanced security of the GPO and then select the deny GPO setting. This will bypass the application of the GPO for that PC or user.
I use this to bypass my management PC’s from certain GPO’s that I apply to the domain to lockdown the PC’s so that my management PC’s are more open for my day to day IT needs.