Restrict Local Admin Group

I am revoking local admin rights for certain users for their domain login, and will be creating local accounts such as computername\user that will be local admins.  They would login with their domain ID, then use RunAs or bypass UAC with their local admin accounts.

My question is this - how can I prevent them from doing a RunAs or bypassing UAC so they can't just add themselves to the local admin for their domain account.  I could use and will use Restricted Groups, but that would only flush it out every 90 minutes or whatever I adjust the refresh interval to.  I need to be able to manage this group through GPO - but would not want any non Domain Admins, for example, to be able to modify it.
rosederekjAsked:
Who is Participating?
 
rosederekjConnect With a Mentor Author Commented:
I actually did some testing - the local admin user can't make changes that impact the domain.  It gets an error when trying to use the local user to elevate the domain user to local admin.

Guess I don't have to worry about it after all.
0
 
Mike KlineCommented:
So these users will now just have "normal" accounts.  they won't be members of any local admin groups or elevated groups in the domain?
If that is the case they shouldn't be able to elevate themselves
...I know they could boot of a boot disc and do tricks like that but those are only the most advanced users.  Is that what you are worried about.
Thanks
Mike
0
 
rosederekjAuthor Commented:
No, sorry, I wasn't clear apparently.

They will still have domain accounts that will be "users".  They will have non-domain accounts, local to their machines, that will be administrators.  They will login as their domain accounts, and do RunAs or UAC prompts by using these local to the machine administrator accounts as needed.  I don't want them to be able to use that local to the machine account to elevate and then modify local admin group memberships, such as including their domain account.
0
 
oBdACommented:
Sorry, that's simply not possible. Any local administrator can do with the machine whatever he wants to (including removing the machine from the domain, which would break the Restricted Groups policy as well...); after all, that's what an administrator account is for.
You can only handle this through a company policy, and "demote" users who aren't trustworthy enough to Power Users or regular users.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.