Solved

is their a way of disabling local logon accounts, i need to be able to stop a network admin from creating a local account on his own machine

Posted on 2008-10-28
6
212 Views
Last Modified: 2013-12-04
i have a user who is a local admin on their own laptop ( domain account ) but i need to be able to deny him from creating his own local logon account and adding to the local admin group.

is their a way of diabling local users so he cannot create this account

thanks
0
Comment
Question by:darrenjak
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
6 Comments
 
LVL 19

Expert Comment

by:PeteJThomas
ID: 22829429
I believe you can do this through Group Policy -
 
"smilerz
In your GPO find:
User Rights Assignment/Log On Locally.
Set the users to .\Administrators, DOMAIN\Administrators, DOMAIN\Users.  That should prevent anyone except domain accounts from logging in.

Test it thoroughly first, playing with user rights can cause unintended consequences.  You may need to add stuff like Local Service, Network Service, etc."
as per http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_2003_Active_Directory/Q_23047109.html
 
Let me know if you have any problems accomplishing this, and I will help you through it.
 
Pete
0
 

Author Comment

by:darrenjak
ID: 22829734
Sorry Pete. i may have described this wrongly

The user is currently a local admin on his laptop by adding his domain account as an administrator.  However he has created himself a local account on his laptop ( abusing his right as an administrator) so he can now log on and bypass our proxy. connect his laptop to his own wireless network ( which we are not allowing), he can  create local accounts, ( if i remove his created local account, he recreates it.)i am looking for a way to stop him from being able to do either of the tasks by restricting local log on, unable to create local accounts. but as me as the administrator of the domain still been able to fully work on that laptop
0
 
LVL 19

Expert Comment

by:PeteJThomas
ID: 22832176
Hi Darren,
 
From what you've said, I think this is as close as you're going to get - You can't disable the local accounts, as he will just be able to re-enable them. However if you use the above method to restrict local log on to ONLY the local administrator (as opposed to the local admin group) this should essentially have the same effect.
 
He would probably still be able to create the local accounts, but not log on with them - Only the local administrator account would be allowed to log on (and domain users etc).
 
However if his domain account is a local admin, he can still reset the local administrators password and log on using that.
 
I personally would take this more as a managerial issue - He should be told that he can't do this, and that if he continues to, disciplinary action will be taken. It's hard to lock down someone who has a local admin account...
 
Still, I think restricting local log on to only the administrator account itself is as good as you'll get...
 
Pete
0
When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

 
LVL 19

Expert Comment

by:PeteJThomas
ID: 22832208
Oh, and if the only issue is him getting around the proxy, you could reconfigure so that all internet traffic MUST be routed through the proxy, which is how we have it here. Doesn't matter who you are, if you remove the proxy settings, you can't get on to the web full stop...
0
 

Accepted Solution

by:
darrenjak earned 0 total points
ID: 22833150
Thanks Pete,

Ill give this a try, hoping to avoid the managerial issue etc but if needs must !! however ive found a way of removing manage from right click list, removing user accounts from control panel and restricting access to .cpl file that opens the user accounts,,,hopefully this will detour him from gaining access...
0
 
LVL 19

Expert Comment

by:PeteJThomas
ID: 22833200
Yup you can lock a lot down using Group/Local Policy.

As said in the original post though, be careful when playing with log on restrictions - It can have all sorts of unintended effects, so test thoroughly on an inconsequential machine before implementing.

(i.e. create a test OU, bung the comp account for the test PC in there, and apply your GPO changes only to that OU).

If it works and stops any local accounts logging on (bar the actual local admin account itself) without causing any weird problems, then you're sorted!

To get around that he'd have to alter the GPO itself, and if he does that, well the words 'disciplinary' definitely come to mind there... :)

Let me know how you get on!

Pete
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Computer running slow? Taking forever to open a folder, documents, or any programs that you didn't have an issue with before? Here are a few steps to help speed it up. The programs mentioned below ALL have free versions, you can buy them if you w…
No security measures warrant 100% as a "silver bullet". The truth is we also cannot assume anything but a defensive and vigilance posture. Adopt no trust by default and reveal in assumption. Only assume anonymity or invisibility in the reverse. Safe…
Finding and deleting duplicate (picture) files can be a time consuming task. My wife and I, our three kids and their families all share one dilemma: Managing our pictures. Between desktops, laptops, phones, tablets, and cameras; over the last decade…
Come and listen to Percona CEO Peter Zaitsev discuss what’s new in Percona open source software, including Percona Server for MySQL (https://www.percona.com/software/mysql-database/percona-server) and MongoDB (https://www.percona.com/software/mongo-…

696 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question