I want to disable the permissions of local administrators in the machines of my domain, is this possible?, and only put administration rights to the Domain Administrators. And I want to do it with Group Policies.
Mainly I want to disable the permission of install/uninstall programs to the users, although they are Local Administrators of their machines.
Best Answer
Take the users out of the "local admins" groups.
The manual process would be to go to the computer, start > rc my computer and then "Manage Computer". Select "Local user and groups", "groups" then double click administrators. Remove the users from that group.
Probably best not to take Domain Admins out of this group though, and if you disable the local administartor group from doing anything, you may have other issues.
You may find that a lot of things will stop working for the users though, so Power Users might be the best place for them to go if they've done anything weird and wonderful.
If you wanted to do this by group policy, I think you'd be looking at scripting something, then having it run as a startup script.
Your script would then use "net localgroup administrators naughtyusers /delete"