Solved

Restrict Local Admin Group

Posted on 2009-04-09
4
313 Views
Last Modified: 2012-05-06
I am revoking local admin rights for certain users for their domain login, and will be creating local accounts such as computername\user that will be local admins.  They would login with their domain ID, then use RunAs or bypass UAC with their local admin accounts.

My question is this - how can I prevent them from doing a RunAs or bypassing UAC so they can't just add themselves to the local admin for their domain account.  I could use and will use Restricted Groups, but that would only flush it out every 90 minutes or whatever I adjust the refresh interval to.  I need to be able to manage this group through GPO - but would not want any non Domain Admins, for example, to be able to modify it.
0
Comment
Question by:rosederekj
  • 2
4 Comments
 
LVL 57

Expert Comment

by:Mike Kline
ID: 24109963
So these users will now just have "normal" accounts.  they won't be members of any local admin groups or elevated groups in the domain?
If that is the case they shouldn't be able to elevate themselves
...I know they could boot of a boot disc and do tricks like that but those are only the most advanced users.  Is that what you are worried about.
Thanks
Mike
0
 

Author Comment

by:rosederekj
ID: 24110022
No, sorry, I wasn't clear apparently.

They will still have domain accounts that will be "users".  They will have non-domain accounts, local to their machines, that will be administrators.  They will login as their domain accounts, and do RunAs or UAC prompts by using these local to the machine administrator accounts as needed.  I don't want them to be able to use that local to the machine account to elevate and then modify local admin group memberships, such as including their domain account.
0
 
LVL 83

Expert Comment

by:oBdA
ID: 24110419
Sorry, that's simply not possible. Any local administrator can do with the machine whatever he wants to (including removing the machine from the domain, which would break the Restricted Groups policy as well...); after all, that's what an administrator account is for.
You can only handle this through a company policy, and "demote" users who aren't trustworthy enough to Power Users or regular users.
0
 

Accepted Solution

by:
rosederekj earned 0 total points
ID: 24111309
I actually did some testing - the local admin user can't make changes that impact the domain.  It gets an error when trying to use the local user to elevate the domain user to local admin.

Guess I don't have to worry about it after all.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

25 Experts available now in Live!

Get 1:1 Help Now