Restricting adding of local Users/Groups to Domain Admins
Due to some uniqueness of my environment, I need to give domain users local Administrative access to some machines. However one of the no-nos is for these local Adminstrators is to create local accounts, but often then do anyway. How can I restict the creating of local accounts to Domain Admins only?
Environment: W2K3 Standard Servers, Windows XP-Pro clients
Environment: W2K3 Standard Servers, Windows XP-Pro clients
ASKER
Thank you for your suggestion, however it did not seem to work. I created a "test" account and added them to the local Administration group and was still able to add a new user and place that user into the local Administrator's group.
Just in case I misunderstood something, I am adding users from My Computer->Manage->Local Users and Groups.
Again, thanks for feedback.
Just in case I misunderstood something, I am adding users from My Computer->Manage->Local Users and Groups.
Again, thanks for feedback.
the minute you add a user to the admin local group...they have these permissions
you can counter that with group policy to a point
Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitt
you can counter that with group policy to a point
Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitt
Very simply, create Restricted Groups for each local Group on the PC. Enforce the membership of this group (use the Members section).
Now when a new local user is created, the account wants to belong to the Users local group - however, if you enforce this to contain only Domain Users then account creation should fail since the user cannot belong to any local groups (as defined in your GPO).
So you need to create Restricted Groups for:
Administrators - contain Domain Admins, the local Administrator and a new Security Group from the domain that contains the users that need Admin rights.
Power Users - no members.
ec, etc.
Make sure to include the default members in these Groups since this policy will remove anything not explictly defined in your policy.
Now when a new local user is created, the account wants to belong to the Users local group - however, if you enforce this to contain only Domain Users then account creation should fail since the user cannot belong to any local groups (as defined in your GPO).
So you need to create Restricted Groups for:
Administrators - contain Domain Admins, the local Administrator and a new Security Group from the domain that contains the users that need Admin rights.
Power Users - no members.
ec, etc.
Make sure to include the default members in these Groups since this policy will remove anything not explictly defined in your policy.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
try this:
go to windows/system32 there look for mshta.exe right click and select properties, there deny eveything to everybody and try to add a user again, if this works look the policy in the domain controller, maybe you re not restricting the access to this .exe correctly (you need to put the full path to it)
go to windows/system32 there look for mshta.exe right click and select properties, there deny eveything to everybody and try to add a user again, if this works look the policy in the domain controller, maybe you re not restricting the access to this .exe correctly (you need to put the full path to it)
what you can do is block the ejecution of mshta.exe (you can do this is the domain policies)
and for prevent the admins to run it from the run or the command using "control userpasswords2", block the run and the command in all the machines (this can be done in the domain policies as well)