If your company is like most companies, you have users running as local administrators on their desktop. There are solutions to eliminate this need, which is a direction every company should make. When users run as local administrators, the IT staff has no control over that user or their desktop. In order for you to secure the local Administrators group on every desktop, you need to have some powerful tools to get the job done. There are typically three different tasks that you need to perform to secure this group, which we will cover in this article. Windows Server 2008 and Windows Vista SP1 (with the RSAT installed) provide amazing new controls that make these configurations a breeze!
The initial task of securing the local Administrators group is to ensure that the user no longer has membership in the group. This is easier said than done, since most companies have configured the user’s domain account to have membership in this group at installation of the user’s computer.
Consider a scenario where you have resolved the issue of having users running as local Administrator and now you need to remove the domain user accounts from the local Administrators group on every desktop in your environment. You only have 10,000 desktops, laptops, and remote users, so you only have a small task ahead of you (yeah right!).
If you create a script to perform this task, you are relying on the user to logoff and back on for the script to run. Not likely to happen on even half of the desktops, so you need another option.