Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Restrict Local Admin Group

Posted on 2009-04-09
4
Medium Priority
?
324 Views
Last Modified: 2012-05-06
I am revoking local admin rights for certain users for their domain login, and will be creating local accounts such as computername\user that will be local admins.  They would login with their domain ID, then use RunAs or bypass UAC with their local admin accounts.

My question is this - how can I prevent them from doing a RunAs or bypassing UAC so they can't just add themselves to the local admin for their domain account.  I could use and will use Restricted Groups, but that would only flush it out every 90 minutes or whatever I adjust the refresh interval to.  I need to be able to manage this group through GPO - but would not want any non Domain Admins, for example, to be able to modify it.
0
Comment
Question by:rosederekj
  • 2
4 Comments
 
LVL 57

Expert Comment

by:Mike Kline
ID: 24109963
So these users will now just have "normal" accounts.  they won't be members of any local admin groups or elevated groups in the domain?
If that is the case they shouldn't be able to elevate themselves
...I know they could boot of a boot disc and do tricks like that but those are only the most advanced users.  Is that what you are worried about.
Thanks
Mike
0
 

Author Comment

by:rosederekj
ID: 24110022
No, sorry, I wasn't clear apparently.

They will still have domain accounts that will be "users".  They will have non-domain accounts, local to their machines, that will be administrators.  They will login as their domain accounts, and do RunAs or UAC prompts by using these local to the machine administrator accounts as needed.  I don't want them to be able to use that local to the machine account to elevate and then modify local admin group memberships, such as including their domain account.
0
 
LVL 85

Expert Comment

by:oBdA
ID: 24110419
Sorry, that's simply not possible. Any local administrator can do with the machine whatever he wants to (including removing the machine from the domain, which would break the Restricted Groups policy as well...); after all, that's what an administrator account is for.
You can only handle this through a company policy, and "demote" users who aren't trustworthy enough to Power Users or regular users.
0
 

Accepted Solution

by:
rosederekj earned 0 total points
ID: 24111309
I actually did some testing - the local admin user can't make changes that impact the domain.  It gets an error when trying to use the local user to elevate the domain user to local admin.

Guess I don't have to worry about it after all.
0

Featured Post

Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Here's a look at newsworthy articles and community happenings during the last month.
Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

783 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question