How can I prevent someone from logging into the local machine (as opposed to the domain)

I've got a user that is getting around the policies that are in effect here by logging into the local pc and not our domain. He is thus able to "detect internet connection automatically" and connect straight through our router instead of the web proxy that's in place.
dwielgoszAsked:
Who is Participating?
 
Rich RumbleConnect With a Mentor Security SamuraiCommented:
You cannot disable the local admin account. You can however change the password with ease, right-click my computer, go to manage, then right-click "Computer managment (local)" and select "connect to another computer..." typo in the ip or the machine name, then reset the local admin pass, and any others also, he could be using the guest account if it's enabled, the guest account by default has no pass, but is disabled by default. If he's created other accounts, disable them, and reset their pass's.
-rich
0
 
Pete LongTechnical ConsultantCommented:
only allow out the IP address of the web Proxy on either the firewall of the router on TCP Port 80
0
 
dwielgoszAuthor Commented:
Don't want to totally restrict flow to 1 IP because there are several PCs in my server room that don't like having to go through the web proxy.
0
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

 
Pete LongTechnical ConsultantCommented:
or on the client PC (or through domain policy if this is rife on your network)
Start > run > Gpedit.msc
Computer Configuration branch to expand it, and then double-click the Windows Setting branch to expand it.
Double-click the Security Settings branch to expand it, and then double-click the Local Policies branch to expand it.
Double-click the User Rights Assignment branch to expand it, double-click the Log On Locally branch to expand it,

Add in Domain users, and remove all the local groups except Administrators

job done :)
0
 
dwielgoszAuthor Commented:
Sounds good except the login that's being used is the local administrator account. Is there a way on the network to set the admin p/w on a local machine? I suppose I could restrict that machine to a static IP and then exclude that address on the cisco router. hahaha another learning curve.
0
 
Seelan NaidooConnect With a Mentor Microsoft Systems AdminCommented:
login as a Domain Admin and change the admin password, so how he cannot bypass domain security, or disable the account completely.
0
 
dwielgoszAuthor Commented:
Yes, thank you both. I should have thought of that myself.  I did not want to physically go into that office and change it, I had forgotten about the remote login through "manage". Thought splitting the points was the best solution. The password has been changed already.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.