Solved

is their a way of disabling local logon accounts, i need to be able to stop a network admin from creating a local account on his own machine

Posted on 2008-10-28
6
210 Views
Last Modified: 2013-12-04
i have a user who is a local admin on their own laptop ( domain account ) but i need to be able to deny him from creating his own local logon account and adding to the local admin group.

is their a way of diabling local users so he cannot create this account

thanks
0
Comment
Question by:darrenjak
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
6 Comments
 
LVL 19

Expert Comment

by:PeteJThomas
ID: 22829429
I believe you can do this through Group Policy -
 
"smilerz
In your GPO find:
User Rights Assignment/Log On Locally.
Set the users to .\Administrators, DOMAIN\Administrators, DOMAIN\Users.  That should prevent anyone except domain accounts from logging in.

Test it thoroughly first, playing with user rights can cause unintended consequences.  You may need to add stuff like Local Service, Network Service, etc."
as per http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_2003_Active_Directory/Q_23047109.html
 
Let me know if you have any problems accomplishing this, and I will help you through it.
 
Pete
0
 

Author Comment

by:darrenjak
ID: 22829734
Sorry Pete. i may have described this wrongly

The user is currently a local admin on his laptop by adding his domain account as an administrator.  However he has created himself a local account on his laptop ( abusing his right as an administrator) so he can now log on and bypass our proxy. connect his laptop to his own wireless network ( which we are not allowing), he can  create local accounts, ( if i remove his created local account, he recreates it.)i am looking for a way to stop him from being able to do either of the tasks by restricting local log on, unable to create local accounts. but as me as the administrator of the domain still been able to fully work on that laptop
0
 
LVL 19

Expert Comment

by:PeteJThomas
ID: 22832176
Hi Darren,
 
From what you've said, I think this is as close as you're going to get - You can't disable the local accounts, as he will just be able to re-enable them. However if you use the above method to restrict local log on to ONLY the local administrator (as opposed to the local admin group) this should essentially have the same effect.
 
He would probably still be able to create the local accounts, but not log on with them - Only the local administrator account would be allowed to log on (and domain users etc).
 
However if his domain account is a local admin, he can still reset the local administrators password and log on using that.
 
I personally would take this more as a managerial issue - He should be told that he can't do this, and that if he continues to, disciplinary action will be taken. It's hard to lock down someone who has a local admin account...
 
Still, I think restricting local log on to only the administrator account itself is as good as you'll get...
 
Pete
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 19

Expert Comment

by:PeteJThomas
ID: 22832208
Oh, and if the only issue is him getting around the proxy, you could reconfigure so that all internet traffic MUST be routed through the proxy, which is how we have it here. Doesn't matter who you are, if you remove the proxy settings, you can't get on to the web full stop...
0
 

Accepted Solution

by:
darrenjak earned 0 total points
ID: 22833150
Thanks Pete,

Ill give this a try, hoping to avoid the managerial issue etc but if needs must !! however ive found a way of removing manage from right click list, removing user accounts from control panel and restricting access to .cpl file that opens the user accounts,,,hopefully this will detour him from gaining access...
0
 
LVL 19

Expert Comment

by:PeteJThomas
ID: 22833200
Yup you can lock a lot down using Group/Local Policy.

As said in the original post though, be careful when playing with log on restrictions - It can have all sorts of unintended effects, so test thoroughly on an inconsequential machine before implementing.

(i.e. create a test OU, bung the comp account for the test PC in there, and apply your GPO changes only to that OU).

If it works and stops any local accounts logging on (bar the actual local admin account itself) without causing any weird problems, then you're sorted!

To get around that he'd have to alter the GPO itself, and if he does that, well the words 'disciplinary' definitely come to mind there... :)

Let me know how you get on!

Pete
0

Featured Post

Guide to Performance: Optimization & Monitoring

Nowadays, monitoring is a mixture of tools, systems, and codes—making it a very complex process. And with this complexity, comes variables for failure. Get DZone’s new Guide to Performance to learn how to proactively find these variables and solve them before a disruption occurs.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The Samsung SSD 840 EVO and 840 EVO mSATA have a well-known problem with a drop in read performance. I first learned about this in an interesting thread here at Experts Exchange: http://www.experts-exchange.com/Hardware/Storage/Hard_Drives/Q_2852…
SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
In a recent question (https://www.experts-exchange.com/questions/29004105/Run-AutoHotkey-script-directly-from-Notepad.html) here at Experts Exchange, a member asked how to run an AutoHotkey script (.AHK) directly from Notepad++ (aka NPP). This video…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question