Solved

For a user who has Local Admin permissions is there a way to stop him from stopping a process.?

Posted on 2009-07-16
34
365 Views
Last Modified: 2012-05-07
Hi,

For a user who has Local Admin permissions is there a way to stop him from stopping a process.?
I have few Antivirus services which users stop. So is there a way to deny such processs being stoped on machines where users have local Admin permissions.

REgards
Sharath
0
Comment
Question by:bsharath
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 8
  • 6
  • +5
34 Comments
 
LVL 18

Accepted Solution

by:
chuckyh earned 250 total points
ID: 24869294
No, even if you somehow change his permissions, he can change them back since he's local admin.
0
 
LVL 11

Author Comment

by:bsharath
ID: 24869309
Ok but is there a way...?
0
 
LVL 7

Expert Comment

by:kumarnirmal
ID: 24869315
Yes you can achieve this using GPO

Go to - Computer Configuration -> Windows Settings -> Security Settings -> System Services and select the service which you want to restrict and right click on it go to "Properties"

check the box on "Define this Policy Setting" set the start up type to "Automatic" and GO TO "Edit Security"

Remove the "Administrator" Group and the "Domain Admin" or the group which you want to gave access to the service with Full Control permission

now event the user member of local admin group he wont able to start or stop the service , only domain admin group have the access to that service.




0
Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 
LVL 11

Author Comment

by:bsharath
ID: 24869389
Hi I already have this in the GPO set but the users are still able to stop the process but services is restricted....
0
 
LVL 7

Expert Comment

by:kumarnirmal
ID: 24869400
have you checked the RSOP.msc result on those computers, the policy might not be applied to that comptuer
0
 
LVL 11

Author Comment

by:bsharath
ID: 24869444
It has applied... I can see that they have successfull applied as its been done months ago...
0
 
LVL 7

Expert Comment

by:kumarnirmal
ID: 24869469
Can you share that particular part of RSOP result
0
 
LVL 11

Author Comment

by:bsharath
ID: 24869615
haaa a little confused...
Attached 2 screenshots. one is from the AD and other from the Client's Rsop.
AD.JPG
Client.jpg
0
 
LVL 7

Expert Comment

by:kumarnirmal
ID: 24869658
Hi ,

I hope the policy is not  applied on that machine because you have configure the permissons on the GPO but in the rsop result it shows as Not Defined, Kindly check with gpresult what are the GPO's applied to the machine.
0
 
LVL 7

Expert Comment

by:kumarnirmal
ID: 24869673
Possible cause for GPO not applied.

1. Policy not linked with OU
2. Computer not in same OU
3. Another Policy setting in the top level for the same configuration.

0
 
LVL 10

Expert Comment

by:remmett70
ID: 24869692
What is the reason that the user has local admin in the first place?  
0
 
LVL 11

Author Comment

by:bsharath
ID: 24869745
Local Admin permissions is a mistake done by my previous management guys... Will change it soon...
Ok about the GPO. Just below the Domain name in the GPMC i have this policy displayed. Now how can i find which all OU's are affected by this GPO
0
 
LVL 7

Expert Comment

by:kumarnirmal
ID: 24870325
Open the "GPMC" console and select that particular policy in the right side panel you can find a tab called "scope" this will list the OU's where this policy linked to it

0
 
LVL 11

Author Comment

by:bsharath
ID: 24870388
I cannot find any option as scope...
0
 
LVL 7

Expert Comment

by:kumarnirmal
ID: 24870640
You can access it another way

Select the OU where that client computer is located right click and go to "Properties", you can find a tab called "Group Policy"

You can find all the GPO's linked to that OU there , select the correct GPO
0
 
LVL 11

Author Comment

by:bsharath
ID: 24870804
I can see all Ou's and GPO's in the GPMC but the policy that involves this GPO is in the top most of the OU structure...
Will that inherit till the bottom?
0
 
LVL 7

Expert Comment

by:kumarnirmal
ID: 24870869
Yes it will, but to isolate this issue move the computer a new OU and link that particular GPO to the OU,

Try restart the computer and then check RSOP.MSC and gpresult
0
 
LVL 10

Expert Comment

by:remmett70
ID: 24871034
Excuse me if I am wrong.  But all this work with GPOs is in an attempt to prevent users from being able to stop services/Processes because they are Local admins when they shouldn't be because of previous management.

To me this seems like a lot of effort when the solution is to remove the users from being Local Admins in the first place.  Once that is done this GPO will no longer be needed.
0
 
LVL 11

Author Comment

by:bsharath
ID: 24871219
remmett70
Thank change is not going to happen in the near future...
So until then if this could be a solution then it would be very useful....
0
 
LVL 47

Assisted Solution

by:Donald Stewart
Donald Stewart earned 250 total points
ID: 24872356
As long as a user is a local admin, no matter what you do they will be able to circumvent this one way or another. There is absolutely no way of getting around this other than removing them from the local admins.
0
 
LVL 10

Expert Comment

by:Wolfhere
ID: 24872572
There is a way, through Policy. They are stopping the service through Ctrl-Alt-Del and task manager, right? Remove access to task manager for stopping the service. (User Configuration>Administrative template>SystemLCtrl+Alt+Del Options and enable Remove Task Manager). I do not know about Sophos as far as management (SAVAdmin?) goes, but through enterprise Symantec AV, you can lock the Autoprotection on or allow some time before it turns back on. You should also be able to restrict whether the client icon show up in the tray at all.
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 24872711
I'll GUARANTEE that what ever group policy you try to force on a local admin, can be easily removed/altered.
0
 
LVL 20

Expert Comment

by:MightySW
ID: 24872804
Yes, because they have access to the registry.  This administrative right over the GPO's will be temporary but as that guy dsteweyyaryt said, they can defeat anything they want until the GPO (user/computer) reapplies.  

I would even imagine that this guy dstewaasfd...whatever his name is, even has a neat little tool that will allow him to turn off all GP's applied to his profile at anytime.

HTH
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 24872868
0
 
LVL 20

Expert Comment

by:MightySW
ID: 24872884
This dude, dsa..whoever he is, has just thrown down the Guarantee gauntlet and has survived!
0
 
LVL 18

Expert Comment

by:chuckyh
ID: 24873335
This is what happens when the OP doesn't believe the first answer and someone else makes an attempt at futility to appease the OP. Thus we all take a ride down the yellow brick road.
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 24873372
Yup, and then someone like myself or mightysw has to come along and steer them back on the right path.
0
 
LVL 20

Expert Comment

by:MightySW
ID: 24873975
You guys crack me up.
0
 
LVL 4

Expert Comment

by:JimInLakeland
ID: 24884238
Let them have local admins, but strip their rights on any network resources. To allow them the network resources again, tell them they need to give up their local admins because by stopping the antivirus, they are posing a security risk to your network.
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 24945510
I have to object to the accepted answer, as any knowledgeable admin will know there is no way you can achieve this without removing the user from the local admin group.
0
 
LVL 11

Author Comment

by:bsharath
ID: 24948605
Hi All... Please give me a recommendation on which is to be closed. As None of the solutions solved my issue due to Admin priveledges on the local machines. I selected all comments as solutions as all helped me understand that its not possible...
Sorry for that if thats not the right way....

0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 24951692
"I selected all comments as solutions as all helped me understand that its not possible..."
Accepting "No" for an answer is the answer. It's not all the time that you  get the answer you want to hear.
 
Recommend accepting ID:24869294 as the answer and ID:24872356 as an assist.
 


0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question