How can I remove local administrator permissions?

Solution 1:

Take the users out of the "local admins" groups.

The manual process would be to go to the computer, start > rc my computer and then "Manage Computer". Select "Local user and groups", "groups" then double click administrators. Remove the users from that group.

Probably best not to take Domain Admins out of this group though, and if you disable the local administartor group from doing anything, you may have other issues.

You may find that a lot of things will stop working for the users though, so Power Users might be the best place for them to go if they've done anything weird and wonderful.

If you wanted to do this by group policy, I think you'd be looking at scripting something, then having it run as a startup script.

Your script would then use "net localgroup administrators naughtyusers /delete"

Solution 2:

As @Tubs has said, don't try and cripple the local administrators group. Just don't put your end users in that group. Power Users will give them permission to do pretty much everything that an admin can do, but not change system wide configuration. Although they do have modify rights to the registry so given time and a reg file, I can't see there being any setting that they couldn't change.

Group policy can directly control the membership of local groups. I don't have the admin tool available at the moment, but it is something like "restricted groups". What you specify here will become the complete membership of the group, you can not instruct group policy to make changes to membership of a local group, only completely replace the membership with the list you specify, so remember to include domain admins in the administrators group.