Solved

is their a way of disabling local logon accounts, i need to be able to stop a network admin from creating a local account on his own machine

Posted on 2008-10-28
6
206 Views
Last Modified: 2013-12-04
i have a user who is a local admin on their own laptop ( domain account ) but i need to be able to deny him from creating his own local logon account and adding to the local admin group.

is their a way of diabling local users so he cannot create this account

thanks
0
Comment
Question by:darrenjak
  • 4
  • 2
6 Comments
 
LVL 19

Expert Comment

by:PeteJThomas
ID: 22829429
I believe you can do this through Group Policy -
 
"smilerz
In your GPO find:
User Rights Assignment/Log On Locally.
Set the users to .\Administrators, DOMAIN\Administrators, DOMAIN\Users.  That should prevent anyone except domain accounts from logging in.

Test it thoroughly first, playing with user rights can cause unintended consequences.  You may need to add stuff like Local Service, Network Service, etc."
as per http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_2003_Active_Directory/Q_23047109.html
 
Let me know if you have any problems accomplishing this, and I will help you through it.
 
Pete
0
 

Author Comment

by:darrenjak
ID: 22829734
Sorry Pete. i may have described this wrongly

The user is currently a local admin on his laptop by adding his domain account as an administrator.  However he has created himself a local account on his laptop ( abusing his right as an administrator) so he can now log on and bypass our proxy. connect his laptop to his own wireless network ( which we are not allowing), he can  create local accounts, ( if i remove his created local account, he recreates it.)i am looking for a way to stop him from being able to do either of the tasks by restricting local log on, unable to create local accounts. but as me as the administrator of the domain still been able to fully work on that laptop
0
 
LVL 19

Expert Comment

by:PeteJThomas
ID: 22832176
Hi Darren,
 
From what you've said, I think this is as close as you're going to get - You can't disable the local accounts, as he will just be able to re-enable them. However if you use the above method to restrict local log on to ONLY the local administrator (as opposed to the local admin group) this should essentially have the same effect.
 
He would probably still be able to create the local accounts, but not log on with them - Only the local administrator account would be allowed to log on (and domain users etc).
 
However if his domain account is a local admin, he can still reset the local administrators password and log on using that.
 
I personally would take this more as a managerial issue - He should be told that he can't do this, and that if he continues to, disciplinary action will be taken. It's hard to lock down someone who has a local admin account...
 
Still, I think restricting local log on to only the administrator account itself is as good as you'll get...
 
Pete
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 19

Expert Comment

by:PeteJThomas
ID: 22832208
Oh, and if the only issue is him getting around the proxy, you could reconfigure so that all internet traffic MUST be routed through the proxy, which is how we have it here. Doesn't matter who you are, if you remove the proxy settings, you can't get on to the web full stop...
0
 

Accepted Solution

by:
darrenjak earned 0 total points
ID: 22833150
Thanks Pete,

Ill give this a try, hoping to avoid the managerial issue etc but if needs must !! however ive found a way of removing manage from right click list, removing user accounts from control panel and restricting access to .cpl file that opens the user accounts,,,hopefully this will detour him from gaining access...
0
 
LVL 19

Expert Comment

by:PeteJThomas
ID: 22833200
Yup you can lock a lot down using Group/Local Policy.

As said in the original post though, be careful when playing with log on restrictions - It can have all sorts of unintended effects, so test thoroughly on an inconsequential machine before implementing.

(i.e. create a test OU, bung the comp account for the test PC in there, and apply your GPO changes only to that OU).

If it works and stops any local accounts logging on (bar the actual local admin account itself) without causing any weird problems, then you're sorted!

To get around that he'd have to alter the GPO itself, and if he does that, well the words 'disciplinary' definitely come to mind there... :)

Let me know how you get on!

Pete
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

The Samsung SSD 840 EVO and 840 EVO mSATA have a well-known problem with a drop in read performance. I first learned about this in an interesting thread here at Experts Exchange: http://www.experts-exchange.com/Hardware/Storage/Hard_Drives/Q_2852…
Computer running slow? Taking forever to open a folder, documents, or any programs that you didn't have an issue with before? Here are a few steps to help speed it up. The programs mentioned below ALL have free versions, you can buy them if you w…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now