I have successfully migrated about 250 computer accounts to a child domain and have computers that have local Admin from both Domains (to ensure access for users who don’t get the memo for their new domain accounts).
Anyway, for a deadline cutover, what’s the easiest way to remove those various source domain groups from local admin? I’m hoping to use a wildcard approach to snagging all the various source domain security groups.
Would you use Group Policy Preferences or Powershell? For GPO approach, the only way I can think of is 1) disable my current GPOs granting local admin to Destination security groups then 2) link a top-level GPO that uses the “Delete all member Groups” on Built-in Administrators then 3) re-enable the disabled GPOs.
If there was a way, however, to say loop through and remove from local admin all Groups that use *, that would be pretty cool.