Forum Discussion
NickLPMW
Sep 30, 2024Copper Contributor
Removing local admin from users and adding "Users" group to "Allow log on locally"
Hello,
For security reasons we want to remove local admin rights for our users on their work laptops, I have found a way to do this using LAPS.
The issue I am experiencing is that for some reason "Users" is not a working local group and it's not added to "Allow log on locally" by default.
I added "Gebruikers" (the local users group in Dutch) to the security baseline which sets groups that are allowed to log on locally, this works but the issue is that this policy applies after the LAPS policy so if users get a new laptop and it gets locked they can't log back in and I have to manually change the Group Policy setting with an admin account.
I was thinking maybe a remediation script could solve this if it checks for the right Group Policy and adds the device to a specific group for LAPS but I have no idea where to begin.
Any tips would be appreciated!
Best regards,
Nick
No RepliesBe the first to reply