For a user who has Local Admin permissions is there a way to stop him from stopping a process.?

Hi,

For a user who has Local Admin permissions is there a way to stop him from stopping a process.?
I have few Antivirus services which users stop. So is there a way to deny such processs being stoped on machines where users have local Admin permissions.

REgards
Sharath
LVL 11
bsharathAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

chuckyhCommented:
No, even if you somehow change his permissions, he can change them back since he's local admin.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
bsharathAuthor Commented:
Ok but is there a way...?
0
kumarnirmalCommented:
Yes you can achieve this using GPO

Go to - Computer Configuration -> Windows Settings -> Security Settings -> System Services and select the service which you want to restrict and right click on it go to "Properties"

check the box on "Define this Policy Setting" set the start up type to "Automatic" and GO TO "Edit Security"

Remove the "Administrator" Group and the "Domain Admin" or the group which you want to gave access to the service with Full Control permission

now event the user member of local admin group he wont able to start or stop the service , only domain admin group have the access to that service.




0
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

bsharathAuthor Commented:
Hi I already have this in the GPO set but the users are still able to stop the process but services is restricted....
0
kumarnirmalCommented:
have you checked the RSOP.msc result on those computers, the policy might not be applied to that comptuer
0
bsharathAuthor Commented:
It has applied... I can see that they have successfull applied as its been done months ago...
0
kumarnirmalCommented:
Can you share that particular part of RSOP result
0
bsharathAuthor Commented:
haaa a little confused...
Attached 2 screenshots. one is from the AD and other from the Client's Rsop.
AD.JPG
Client.jpg
0
kumarnirmalCommented:
Hi ,

I hope the policy is not  applied on that machine because you have configure the permissons on the GPO but in the rsop result it shows as Not Defined, Kindly check with gpresult what are the GPO's applied to the machine.
0
kumarnirmalCommented:
Possible cause for GPO not applied.

1. Policy not linked with OU
2. Computer not in same OU
3. Another Policy setting in the top level for the same configuration.

0
remmett70Commented:
What is the reason that the user has local admin in the first place?  
0
bsharathAuthor Commented:
Local Admin permissions is a mistake done by my previous management guys... Will change it soon...
Ok about the GPO. Just below the Domain name in the GPMC i have this policy displayed. Now how can i find which all OU's are affected by this GPO
0
kumarnirmalCommented:
Open the "GPMC" console and select that particular policy in the right side panel you can find a tab called "scope" this will list the OU's where this policy linked to it

0
bsharathAuthor Commented:
I cannot find any option as scope...
0
kumarnirmalCommented:
You can access it another way

Select the OU where that client computer is located right click and go to "Properties", you can find a tab called "Group Policy"

You can find all the GPO's linked to that OU there , select the correct GPO
0
bsharathAuthor Commented:
I can see all Ou's and GPO's in the GPMC but the policy that involves this GPO is in the top most of the OU structure...
Will that inherit till the bottom?
0
kumarnirmalCommented:
Yes it will, but to isolate this issue move the computer a new OU and link that particular GPO to the OU,

Try restart the computer and then check RSOP.MSC and gpresult
0
remmett70Commented:
Excuse me if I am wrong.  But all this work with GPOs is in an attempt to prevent users from being able to stop services/Processes because they are Local admins when they shouldn't be because of previous management.

To me this seems like a lot of effort when the solution is to remove the users from being Local Admins in the first place.  Once that is done this GPO will no longer be needed.
0
bsharathAuthor Commented:
remmett70
Thank change is not going to happen in the near future...
So until then if this could be a solution then it would be very useful....
0
DonNetwork AdministratorCommented:
As long as a user is a local admin, no matter what you do they will be able to circumvent this one way or another. There is absolutely no way of getting around this other than removing them from the local admins.
0
WolfhereCommented:
There is a way, through Policy. They are stopping the service through Ctrl-Alt-Del and task manager, right? Remove access to task manager for stopping the service. (User Configuration>Administrative template>SystemLCtrl+Alt+Del Options and enable Remove Task Manager). I do not know about Sophos as far as management (SAVAdmin?) goes, but through enterprise Symantec AV, you can lock the Autoprotection on or allow some time before it turns back on. You should also be able to restrict whether the client icon show up in the tray at all.
0
DonNetwork AdministratorCommented:
I'll GUARANTEE that what ever group policy you try to force on a local admin, can be easily removed/altered.
0
MightySWCommented:
Yes, because they have access to the registry.  This administrative right over the GPO's will be temporary but as that guy dsteweyyaryt said, they can defeat anything they want until the GPO (user/computer) reapplies.  

I would even imagine that this guy dstewaasfd...whatever his name is, even has a neat little tool that will allow him to turn off all GP's applied to his profile at anytime.

HTH
0
DonNetwork AdministratorCommented:
0
MightySWCommented:
This dude, dsa..whoever he is, has just thrown down the Guarantee gauntlet and has survived!
0
chuckyhCommented:
This is what happens when the OP doesn't believe the first answer and someone else makes an attempt at futility to appease the OP. Thus we all take a ride down the yellow brick road.
0
DonNetwork AdministratorCommented:
Yup, and then someone like myself or mightysw has to come along and steer them back on the right path.
0
MightySWCommented:
You guys crack me up.
0
JimInLakelandCommented:
Let them have local admins, but strip their rights on any network resources. To allow them the network resources again, tell them they need to give up their local admins because by stopping the antivirus, they are posing a security risk to your network.
0
DonNetwork AdministratorCommented:
I have to object to the accepted answer, as any knowledgeable admin will know there is no way you can achieve this without removing the user from the local admin group.
0
bsharathAuthor Commented:
Hi All... Please give me a recommendation on which is to be closed. As None of the solutions solved my issue due to Admin priveledges on the local machines. I selected all comments as solutions as all helped me understand that its not possible...
Sorry for that if thats not the right way....

0
DonNetwork AdministratorCommented:
"I selected all comments as solutions as all helped me understand that its not possible..."
Accepting "No" for an answer is the answer. It's not all the time that you  get the answer you want to hear.
 
Recommend accepting ID:24869294 as the answer and ID:24872356 as an assist.
 


0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Legacy OS

From novice to tech pro — start learning today.