Users are evils, the weakest link in the whole security defense system, myself included. So the best way to stop them from making stupid mistakes is to take away their ability to do so. That means, no more local admin rights, which has been the best practice for quite some time.
To check what are the members in my Local Administrators group,
Get-LocalGroupMember -Group 'Administrators'
Then to remove all users from the Local Administrators group,
Get-LocalGroupMember -Group 'Administrators' | Where {$_.objectclass -like 'user'} | Remove-LocalGroupMember Administrators
To remove a specific group, such as Domain Users,
Get-LocalGroupMember -Group 'Administrators' | Where {$_.Name -like 'domain\domain users'} | Remove-LocalGroupMember Administrators
All these don’t make much sense if you can’t use them on remote computers on the same network.
And that’s where the cmdlet Invoke-Command shines.
Invoke-Command -ComputerName $comp -ScriptBlock { Get-LocalGroupMember -Group 'Administrators' | Where {$_.objectclass -like 'user'} | Remove-LocalGroupMember Administrators Get-LocalGroupMember -Group 'Administrators' | Where {$_.name -like 'domain\domain users'} | Remove-LocalGroupMember Administrators
Run the codes through a list of computers you need to take care of, and you will have a clean setup within a couple of minutes.