Solved

Restrict Local Admin Group

Posted on 2009-04-09
4
318 Views
Last Modified: 2012-05-06
I am revoking local admin rights for certain users for their domain login, and will be creating local accounts such as computername\user that will be local admins.  They would login with their domain ID, then use RunAs or bypass UAC with their local admin accounts.

My question is this - how can I prevent them from doing a RunAs or bypassing UAC so they can't just add themselves to the local admin for their domain account.  I could use and will use Restricted Groups, but that would only flush it out every 90 minutes or whatever I adjust the refresh interval to.  I need to be able to manage this group through GPO - but would not want any non Domain Admins, for example, to be able to modify it.
0
Comment
Question by:rosederekj
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 57

Expert Comment

by:Mike Kline
ID: 24109963
So these users will now just have "normal" accounts.  they won't be members of any local admin groups or elevated groups in the domain?
If that is the case they shouldn't be able to elevate themselves
...I know they could boot of a boot disc and do tricks like that but those are only the most advanced users.  Is that what you are worried about.
Thanks
Mike
0
 

Author Comment

by:rosederekj
ID: 24110022
No, sorry, I wasn't clear apparently.

They will still have domain accounts that will be "users".  They will have non-domain accounts, local to their machines, that will be administrators.  They will login as their domain accounts, and do RunAs or UAC prompts by using these local to the machine administrator accounts as needed.  I don't want them to be able to use that local to the machine account to elevate and then modify local admin group memberships, such as including their domain account.
0
 
LVL 85

Expert Comment

by:oBdA
ID: 24110419
Sorry, that's simply not possible. Any local administrator can do with the machine whatever he wants to (including removing the machine from the domain, which would break the Restricted Groups policy as well...); after all, that's what an administrator account is for.
You can only handle this through a company policy, and "demote" users who aren't trustworthy enough to Power Users or regular users.
0
 

Accepted Solution

by:
rosederekj earned 0 total points
ID: 24111309
I actually did some testing - the local admin user can't make changes that impact the domain.  It gets an error when trying to use the local user to elevate the domain user to local admin.

Guess I don't have to worry about it after all.
0

Featured Post

Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A company’s centralized system that manages user data, security, and distributed resources is often a focus of criminal attention. Active Directory (AD) is no exception. In truth, it’s even more likely to be targeted due to the number of companies …
Always backup Domain, SYSVOL etc.using processes according to Microsoft Best Practices. This is meant as a disaster recovery process for small environments that did not implement backup processes and did not run a secondary domain controller that ne…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

622 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question