I'm trying to rename the local administrator account on all the PCs in a 2003 domain. The GP I have that uses GPP to rename the local administrator seems to work. However the problem I'm having is when the local administrator account is not named "Administrator" and is instead whatever the person installing the operating system before it was joined to the domain typed into the user box like "Bob" or "User". The new administrator account gets added, but the old one doesn't get replaced.
Unfortunately we still have some users that require local admin priviledges, or I would just wipe that group rename the admin and be done. Is there any way to remove all other locally created admin accounts and leave the domain accounts in the local admin group via GP?
If I'm being convoluted the Local Administrators group contains these accounts: renamedAdmin, Bob, DOMAIN\someUser. I want it to only contain renameAdmin and DOMAIN\someUser. Any solution to this? Thanks.
Best Answer
You can do this with the GPO Restricted Groups
Computer configuration > Windows Settings > Security Settings > Restricted Groups.
If you set that up with Using the "Members" Restricted Group Portion of Policy, it will remove anything else that is listed locally. It will only apply the group that is in your policy. You can read more about it here. If other users need local admin rights, I might dump them into a Security Group, then add that Security Group to the Restricted Groups.
Also note, you'll want to make sure to include domain admins and your new local administrator in this group, or no one will be the local admin group.