I am revoking local admin rights for certain users for their domain login, and will be creating local accounts such as computername\user that will be local admins. They would login with their domain ID, then use RunAs or bypass UAC with their local admin accounts.
My question is this - how can I prevent them from doing a RunAs or bypassing UAC so they can't just add themselves to the local admin for their domain account. I could use and will use Restricted Groups, but that would only flush it out every 90 minutes or whatever I adjust the refresh interval to. I need to be able to manage this group through GPO - but would not want any non Domain Admins, for example, to be able to modify it.