Solved

Restrict Local Admin Group

Posted on 2009-04-09
4
312 Views
Last Modified: 2012-05-06
I am revoking local admin rights for certain users for their domain login, and will be creating local accounts such as computername\user that will be local admins.  They would login with their domain ID, then use RunAs or bypass UAC with their local admin accounts.

My question is this - how can I prevent them from doing a RunAs or bypassing UAC so they can't just add themselves to the local admin for their domain account.  I could use and will use Restricted Groups, but that would only flush it out every 90 minutes or whatever I adjust the refresh interval to.  I need to be able to manage this group through GPO - but would not want any non Domain Admins, for example, to be able to modify it.
0
Comment
Question by:rosederekj
  • 2
4 Comments
 
LVL 57

Expert Comment

by:Mike Kline
Comment Utility
So these users will now just have "normal" accounts.  they won't be members of any local admin groups or elevated groups in the domain?
If that is the case they shouldn't be able to elevate themselves
...I know they could boot of a boot disc and do tricks like that but those are only the most advanced users.  Is that what you are worried about.
Thanks
Mike
0
 

Author Comment

by:rosederekj
Comment Utility
No, sorry, I wasn't clear apparently.

They will still have domain accounts that will be "users".  They will have non-domain accounts, local to their machines, that will be administrators.  They will login as their domain accounts, and do RunAs or UAC prompts by using these local to the machine administrator accounts as needed.  I don't want them to be able to use that local to the machine account to elevate and then modify local admin group memberships, such as including their domain account.
0
 
LVL 82

Expert Comment

by:oBdA
Comment Utility
Sorry, that's simply not possible. Any local administrator can do with the machine whatever he wants to (including removing the machine from the domain, which would break the Restricted Groups policy as well...); after all, that's what an administrator account is for.
You can only handle this through a company policy, and "demote" users who aren't trustworthy enough to Power Users or regular users.
0
 

Accepted Solution

by:
rosederekj earned 0 total points
Comment Utility
I actually did some testing - the local admin user can't make changes that impact the domain.  It gets an error when trying to use the local user to elevate the domain user to local admin.

Guess I don't have to worry about it after all.
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Join & Write a Comment

As network administrators; we know how hard it is to track user’s login/logout using security event log (BTW it is harder now in windows 2008 because user name is always “N/A” in the grid), and most of us either get 3rd party tools, or just make our…
Synchronize a new Active Directory domain with an existing Office 365 tenant
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now