Deploying rules
To create the default rules provided by Privilege Manager, use the Create GPO with Default Rules Wizard. To access the wizard from the Getting Started screen, select the Setup Tasks tab and then double-click Create GPO with default rules. Follow the prompts or see the Safeguard Privileged Manager for Windows Administration Guide for more information.
Removing local admin rights
The last step in preparing your environment for least privileged use is to remove administrative access from users who no longer require it.
Using the Active Directory Users and Computers utility
Using the Active Directory Users and Computers utility
To scrub the Domain Administrators group of users that should no longer have administrative rights to every computer in the domain, use the native Active Directory Users and Computers utility of the supported Windows Server operating systems.
To remove users from the Domain Administrators group,
-
Select Domain Admins Properties > Members tab > Remove.
-
Click Discover Accounts in local Administrator groups to discover users and domain groups with local administrator rights.
NOTE: By default, the search results will only include domain users and domain groups. However, you can optionally opt to include local and built-in (for informational purposes only) users.
Using the Users with Local Admin Rights screen
Using the Users with Local Admin Rights screen
To discover which domain users have been assigned to the local Administrators group on client computers, and then remove them, under the Discovery & Remediation tab of the Console, select the Users with Local Admin Rights screen. For more information, see Safeguard Privileged Manager for Windows Administration Guide.