?
Solved

is their a way of disabling local logon accounts, i need to be able to stop a network admin from creating a local account on his own machine

Posted on 2008-10-28
6
Medium Priority
?
213 Views
Last Modified: 2013-12-04
i have a user who is a local admin on their own laptop ( domain account ) but i need to be able to deny him from creating his own local logon account and adding to the local admin group.

is their a way of diabling local users so he cannot create this account

thanks
0
Comment
Question by:darrenjak
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
6 Comments
 
LVL 19

Expert Comment

by:PeteJThomas
ID: 22829429
I believe you can do this through Group Policy -
 
"smilerz
In your GPO find:
User Rights Assignment/Log On Locally.
Set the users to .\Administrators, DOMAIN\Administrators, DOMAIN\Users.  That should prevent anyone except domain accounts from logging in.

Test it thoroughly first, playing with user rights can cause unintended consequences.  You may need to add stuff like Local Service, Network Service, etc."
as per http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_2003_Active_Directory/Q_23047109.html
 
Let me know if you have any problems accomplishing this, and I will help you through it.
 
Pete
0
 

Author Comment

by:darrenjak
ID: 22829734
Sorry Pete. i may have described this wrongly

The user is currently a local admin on his laptop by adding his domain account as an administrator.  However he has created himself a local account on his laptop ( abusing his right as an administrator) so he can now log on and bypass our proxy. connect his laptop to his own wireless network ( which we are not allowing), he can  create local accounts, ( if i remove his created local account, he recreates it.)i am looking for a way to stop him from being able to do either of the tasks by restricting local log on, unable to create local accounts. but as me as the administrator of the domain still been able to fully work on that laptop
0
 
LVL 19

Expert Comment

by:PeteJThomas
ID: 22832176
Hi Darren,
 
From what you've said, I think this is as close as you're going to get - You can't disable the local accounts, as he will just be able to re-enable them. However if you use the above method to restrict local log on to ONLY the local administrator (as opposed to the local admin group) this should essentially have the same effect.
 
He would probably still be able to create the local accounts, but not log on with them - Only the local administrator account would be allowed to log on (and domain users etc).
 
However if his domain account is a local admin, he can still reset the local administrators password and log on using that.
 
I personally would take this more as a managerial issue - He should be told that he can't do this, and that if he continues to, disciplinary action will be taken. It's hard to lock down someone who has a local admin account...
 
Still, I think restricting local log on to only the administrator account itself is as good as you'll get...
 
Pete
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 19

Expert Comment

by:PeteJThomas
ID: 22832208
Oh, and if the only issue is him getting around the proxy, you could reconfigure so that all internet traffic MUST be routed through the proxy, which is how we have it here. Doesn't matter who you are, if you remove the proxy settings, you can't get on to the web full stop...
0
 

Accepted Solution

by:
darrenjak earned 0 total points
ID: 22833150
Thanks Pete,

Ill give this a try, hoping to avoid the managerial issue etc but if needs must !! however ive found a way of removing manage from right click list, removing user accounts from control panel and restricting access to .cpl file that opens the user accounts,,,hopefully this will detour him from gaining access...
0
 
LVL 19

Expert Comment

by:PeteJThomas
ID: 22833200
Yup you can lock a lot down using Group/Local Policy.

As said in the original post though, be careful when playing with log on restrictions - It can have all sorts of unintended effects, so test thoroughly on an inconsequential machine before implementing.

(i.e. create a test OU, bung the comp account for the test PC in there, and apply your GPO changes only to that OU).

If it works and stops any local accounts logging on (bar the actual local admin account itself) without causing any weird problems, then you're sorted!

To get around that he'd have to alter the GPO itself, and if he does that, well the words 'disciplinary' definitely come to mind there... :)

Let me know how you get on!

Pete
0

Featured Post

Turn your laptop into a mobile console!

The CV211 Laptop USB Console Adapter provides a direct Laptop-to-Computer connection for fast and easy remote desktop access with no software to install.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This is a guide to the following problem (not exclusive but here) on Windows: Users need our support and we supporters often use global administrative accounts to do this. Using these accounts safely is a real challenge. Any admin who takes se…
Recently, I read that Microsoft has analysed statistics for their security intelligence report. It revealed: still, the clear majority of windows users do their daily work as administrator. An administrative account is a burden, security-wise. My ar…
Finding and deleting duplicate (picture) files can be a time consuming task. My wife and I, our three kids and their families all share one dilemma: Managing our pictures. Between desktops, laptops, phones, tablets, and cameras; over the last decade…
If you’ve ever visited a web page and noticed a cool font that you really liked the look of, but couldn’t figure out which font it was so that you could use it for your own work, then this video is for you! In this Micro Tutorial, you'll learn yo…
Suggested Courses
Course of the Month15 days, 14 hours left to enroll

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question