Solved

is their a way of disabling local logon accounts, i need to be able to stop a network admin from creating a local account on his own machine

Posted on 2008-10-28
6
208 Views
Last Modified: 2013-12-04
i have a user who is a local admin on their own laptop ( domain account ) but i need to be able to deny him from creating his own local logon account and adding to the local admin group.

is their a way of diabling local users so he cannot create this account

thanks
0
Comment
Question by:darrenjak
  • 4
  • 2
6 Comments
 
LVL 19

Expert Comment

by:PeteJThomas
ID: 22829429
I believe you can do this through Group Policy -
 
"smilerz
In your GPO find:
User Rights Assignment/Log On Locally.
Set the users to .\Administrators, DOMAIN\Administrators, DOMAIN\Users.  That should prevent anyone except domain accounts from logging in.

Test it thoroughly first, playing with user rights can cause unintended consequences.  You may need to add stuff like Local Service, Network Service, etc."
as per http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_2003_Active_Directory/Q_23047109.html
 
Let me know if you have any problems accomplishing this, and I will help you through it.
 
Pete
0
 

Author Comment

by:darrenjak
ID: 22829734
Sorry Pete. i may have described this wrongly

The user is currently a local admin on his laptop by adding his domain account as an administrator.  However he has created himself a local account on his laptop ( abusing his right as an administrator) so he can now log on and bypass our proxy. connect his laptop to his own wireless network ( which we are not allowing), he can  create local accounts, ( if i remove his created local account, he recreates it.)i am looking for a way to stop him from being able to do either of the tasks by restricting local log on, unable to create local accounts. but as me as the administrator of the domain still been able to fully work on that laptop
0
 
LVL 19

Expert Comment

by:PeteJThomas
ID: 22832176
Hi Darren,
 
From what you've said, I think this is as close as you're going to get - You can't disable the local accounts, as he will just be able to re-enable them. However if you use the above method to restrict local log on to ONLY the local administrator (as opposed to the local admin group) this should essentially have the same effect.
 
He would probably still be able to create the local accounts, but not log on with them - Only the local administrator account would be allowed to log on (and domain users etc).
 
However if his domain account is a local admin, he can still reset the local administrators password and log on using that.
 
I personally would take this more as a managerial issue - He should be told that he can't do this, and that if he continues to, disciplinary action will be taken. It's hard to lock down someone who has a local admin account...
 
Still, I think restricting local log on to only the administrator account itself is as good as you'll get...
 
Pete
0
Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

 
LVL 19

Expert Comment

by:PeteJThomas
ID: 22832208
Oh, and if the only issue is him getting around the proxy, you could reconfigure so that all internet traffic MUST be routed through the proxy, which is how we have it here. Doesn't matter who you are, if you remove the proxy settings, you can't get on to the web full stop...
0
 

Accepted Solution

by:
darrenjak earned 0 total points
ID: 22833150
Thanks Pete,

Ill give this a try, hoping to avoid the managerial issue etc but if needs must !! however ive found a way of removing manage from right click list, removing user accounts from control panel and restricting access to .cpl file that opens the user accounts,,,hopefully this will detour him from gaining access...
0
 
LVL 19

Expert Comment

by:PeteJThomas
ID: 22833200
Yup you can lock a lot down using Group/Local Policy.

As said in the original post though, be careful when playing with log on restrictions - It can have all sorts of unintended effects, so test thoroughly on an inconsequential machine before implementing.

(i.e. create a test OU, bung the comp account for the test PC in there, and apply your GPO changes only to that OU).

If it works and stops any local accounts logging on (bar the actual local admin account itself) without causing any weird problems, then you're sorted!

To get around that he'd have to alter the GPO itself, and if he does that, well the words 'disciplinary' definitely come to mind there... :)

Let me know how you get on!

Pete
0

Featured Post

Gigs: Get Your Project Delivered by an Expert

Select from freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Surface Book vs Surface Pro 4 76
Apple macbook will not count battery cycles 3 50
Shipping power banks using US Postal Service 20 80
Need to disable SSL Cipher 7 59
I'm a big fan of Windows' offline folder caching and have used it on my laptops for over a decade.  One thing I don't like about it, however, is how difficult Microsoft has made it for the cache to be moved out of the Windows folder.  Here's how to …
OfficeMate Freezes on login or does not load after login credentials are input.
Along with being a a promotional video for my three-day Annielytics Dashboard Seminor, this Micro Tutorial is an intro to Google Analytics API data.
Although Jacob Bernoulli (1654-1705) has been credited as the creator of "Binomial Distribution Table", Gottfried Leibniz (1646-1716) did his dissertation on the subject in 1666; Leibniz you may recall is the co-inventor of "Calculus" and beat Isaac…

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question