GPO or Powershell to remove all source Domain members after migration

I have successfully migrated about 250 computer accounts to a child domain and have computers that have local Admin from both Domains (to ensure access for users who don’t get the memo for their new domain accounts).

Anyway, for a deadline cutover, what’s the easiest way to remove those various source domain groups from local admin? I’m hoping to use a wildcard approach to snagging all the various source domain security groups.

Would you use Group Policy Preferences or Powershell? For GPO approach, the only way I can think of is 1) disable my current GPOs granting local admin to Destination security groups then 2) link a top-level GPO that uses the “Delete all member Groups” on Built-in Administrators then 3) re-enable the disabled GPOs.

If there was a way, however, to say loop through and remove from local admin all Groups that use *, that would be pretty cool.

I’d have a file with the specific computers to remove, and write a short script that imports them and removes them. Would probably take 5-10 minutes to toss something together. Adding and removing GPOs just seems a bit sketchy. Plus, you can include a line in your loop to capture what you’re doing so you have an audit file at the end with who was removed from what.

I can certainly gather the inventory of the computers but would have no idea how to create that script. Can you assist, please?

Something like:

 $Hosts = Import-Csv -Path .\Hosts.csv
$Groups= Get-ADUser -Filter * | Select {"CONTOSO\*"} 
foreach ($host in $Hosts) {
Remove-LocalGroupMember -Group "Administrators" -Member $Groups

the easiest solution was to edit the existing GPO preferences on that OU and check both boxes “Delete all member users” and “Delete all member groups”.

With the previously added source groups as members in the lower portion the Administrators (built-in) Properties, the net results was just those groups had local admin.

Once the gpupdate was performed or the refresh interval had passed, I then unchecked those two boxes (since leaving them checked would disallow higher level Domain Admin as local admin). Net result, the computers were stripped of the previous Domains groups and users as local admins, but now had Destination Domain Domain Admins and Destination Domain new security group as local admin.