Solved

For a user who has Local Admin permissions is there a way to stop him from stopping a process.?

Posted on 2009-07-16
34
359 Views
Last Modified: 2012-05-07
Hi,

For a user who has Local Admin permissions is there a way to stop him from stopping a process.?
I have few Antivirus services which users stop. So is there a way to deny such processs being stoped on machines where users have local Admin permissions.

REgards
Sharath
0
Comment
Question by:bsharath
  • 9
  • 8
  • 6
  • +5
34 Comments
 
LVL 18

Accepted Solution

by:
chuckyh earned 250 total points
ID: 24869294
No, even if you somehow change his permissions, he can change them back since he's local admin.
0
 
LVL 11

Author Comment

by:bsharath
ID: 24869309
Ok but is there a way...?
0
 
LVL 7

Expert Comment

by:kumarnirmal
ID: 24869315
Yes you can achieve this using GPO

Go to - Computer Configuration -> Windows Settings -> Security Settings -> System Services and select the service which you want to restrict and right click on it go to "Properties"

check the box on "Define this Policy Setting" set the start up type to "Automatic" and GO TO "Edit Security"

Remove the "Administrator" Group and the "Domain Admin" or the group which you want to gave access to the service with Full Control permission

now event the user member of local admin group he wont able to start or stop the service , only domain admin group have the access to that service.




0
 
LVL 11

Author Comment

by:bsharath
ID: 24869389
Hi I already have this in the GPO set but the users are still able to stop the process but services is restricted....
0
 
LVL 7

Expert Comment

by:kumarnirmal
ID: 24869400
have you checked the RSOP.msc result on those computers, the policy might not be applied to that comptuer
0
 
LVL 11

Author Comment

by:bsharath
ID: 24869444
It has applied... I can see that they have successfull applied as its been done months ago...
0
 
LVL 7

Expert Comment

by:kumarnirmal
ID: 24869469
Can you share that particular part of RSOP result
0
 
LVL 11

Author Comment

by:bsharath
ID: 24869615
haaa a little confused...
Attached 2 screenshots. one is from the AD and other from the Client's Rsop.
AD.JPG
Client.jpg
0
 
LVL 7

Expert Comment

by:kumarnirmal
ID: 24869658
Hi ,

I hope the policy is not  applied on that machine because you have configure the permissons on the GPO but in the rsop result it shows as Not Defined, Kindly check with gpresult what are the GPO's applied to the machine.
0
 
LVL 7

Expert Comment

by:kumarnirmal
ID: 24869673
Possible cause for GPO not applied.

1. Policy not linked with OU
2. Computer not in same OU
3. Another Policy setting in the top level for the same configuration.

0
 
LVL 10

Expert Comment

by:remmett70
ID: 24869692
What is the reason that the user has local admin in the first place?  
0
 
LVL 11

Author Comment

by:bsharath
ID: 24869745
Local Admin permissions is a mistake done by my previous management guys... Will change it soon...
Ok about the GPO. Just below the Domain name in the GPMC i have this policy displayed. Now how can i find which all OU's are affected by this GPO
0
 
LVL 7

Expert Comment

by:kumarnirmal
ID: 24870325
Open the "GPMC" console and select that particular policy in the right side panel you can find a tab called "scope" this will list the OU's where this policy linked to it

0
 
LVL 11

Author Comment

by:bsharath
ID: 24870388
I cannot find any option as scope...
0
 
LVL 7

Expert Comment

by:kumarnirmal
ID: 24870640
You can access it another way

Select the OU where that client computer is located right click and go to "Properties", you can find a tab called "Group Policy"

You can find all the GPO's linked to that OU there , select the correct GPO
0
 
LVL 11

Author Comment

by:bsharath
ID: 24870804
I can see all Ou's and GPO's in the GPMC but the policy that involves this GPO is in the top most of the OU structure...
Will that inherit till the bottom?
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 7

Expert Comment

by:kumarnirmal
ID: 24870869
Yes it will, but to isolate this issue move the computer a new OU and link that particular GPO to the OU,

Try restart the computer and then check RSOP.MSC and gpresult
0
 
LVL 10

Expert Comment

by:remmett70
ID: 24871034
Excuse me if I am wrong.  But all this work with GPOs is in an attempt to prevent users from being able to stop services/Processes because they are Local admins when they shouldn't be because of previous management.

To me this seems like a lot of effort when the solution is to remove the users from being Local Admins in the first place.  Once that is done this GPO will no longer be needed.
0
 
LVL 11

Author Comment

by:bsharath
ID: 24871219
remmett70
Thank change is not going to happen in the near future...
So until then if this could be a solution then it would be very useful....
0
 
LVL 47

Assisted Solution

by:dstewartjr
dstewartjr earned 250 total points
ID: 24872356
As long as a user is a local admin, no matter what you do they will be able to circumvent this one way or another. There is absolutely no way of getting around this other than removing them from the local admins.
0
 
LVL 10

Expert Comment

by:Wolfhere
ID: 24872572
There is a way, through Policy. They are stopping the service through Ctrl-Alt-Del and task manager, right? Remove access to task manager for stopping the service. (User Configuration>Administrative template>SystemLCtrl+Alt+Del Options and enable Remove Task Manager). I do not know about Sophos as far as management (SAVAdmin?) goes, but through enterprise Symantec AV, you can lock the Autoprotection on or allow some time before it turns back on. You should also be able to restrict whether the client icon show up in the tray at all.
0
 
LVL 47

Expert Comment

by:dstewartjr
ID: 24872711
I'll GUARANTEE that what ever group policy you try to force on a local admin, can be easily removed/altered.
0
 
LVL 20

Expert Comment

by:MightySW
ID: 24872804
Yes, because they have access to the registry.  This administrative right over the GPO's will be temporary but as that guy dsteweyyaryt said, they can defeat anything they want until the GPO (user/computer) reapplies.  

I would even imagine that this guy dstewaasfd...whatever his name is, even has a neat little tool that will allow him to turn off all GP's applied to his profile at anytime.

HTH
0
 
LVL 47

Expert Comment

by:dstewartjr
ID: 24872868
0
 
LVL 20

Expert Comment

by:MightySW
ID: 24872884
This dude, dsa..whoever he is, has just thrown down the Guarantee gauntlet and has survived!
0
 
LVL 18

Expert Comment

by:chuckyh
ID: 24873335
This is what happens when the OP doesn't believe the first answer and someone else makes an attempt at futility to appease the OP. Thus we all take a ride down the yellow brick road.
0
 
LVL 47

Expert Comment

by:dstewartjr
ID: 24873372
Yup, and then someone like myself or mightysw has to come along and steer them back on the right path.
0
 
LVL 20

Expert Comment

by:MightySW
ID: 24873975
You guys crack me up.
0
 
LVL 4

Expert Comment

by:JimInLakeland
ID: 24884238
Let them have local admins, but strip their rights on any network resources. To allow them the network resources again, tell them they need to give up their local admins because by stopping the antivirus, they are posing a security risk to your network.
0
 
LVL 47

Expert Comment

by:dstewartjr
ID: 24945510
I have to object to the accepted answer, as any knowledgeable admin will know there is no way you can achieve this without removing the user from the local admin group.
0
 
LVL 11

Author Comment

by:bsharath
ID: 24948605
Hi All... Please give me a recommendation on which is to be closed. As None of the solutions solved my issue due to Admin priveledges on the local machines. I selected all comments as solutions as all helped me understand that its not possible...
Sorry for that if thats not the right way....

0
 
LVL 47

Expert Comment

by:dstewartjr
ID: 24951692
"I selected all comments as solutions as all helped me understand that its not possible..."
Accepting "No" for an answer is the answer. It's not all the time that you  get the answer you want to hear.
 
Recommend accepting ID:24869294 as the answer and ID:24872356 as an assist.
 


0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

INTRODUCTION The purpose of this document is to demonstrate the Installation and configuration of the Data Protection Manager product. Note that this demonstration was prepared on the basis of Windows OS is 2008 R2 and DPM 2010. DATA PROTECTI…
Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now