Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 369
  • Last Modified:

For a user who has Local Admin permissions is there a way to stop him from stopping a process.?

Hi,

For a user who has Local Admin permissions is there a way to stop him from stopping a process.?
I have few Antivirus services which users stop. So is there a way to deny such processs being stoped on machines where users have local Admin permissions.

REgards
Sharath
0
bsharath
Asked:
bsharath
  • 9
  • 8
  • 6
  • +5
2 Solutions
 
chuckyhCommented:
No, even if you somehow change his permissions, he can change them back since he's local admin.
0
 
bsharathAuthor Commented:
Ok but is there a way...?
0
 
kumarnirmalCommented:
Yes you can achieve this using GPO

Go to - Computer Configuration -> Windows Settings -> Security Settings -> System Services and select the service which you want to restrict and right click on it go to "Properties"

check the box on "Define this Policy Setting" set the start up type to "Automatic" and GO TO "Edit Security"

Remove the "Administrator" Group and the "Domain Admin" or the group which you want to gave access to the service with Full Control permission

now event the user member of local admin group he wont able to start or stop the service , only domain admin group have the access to that service.




0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 
bsharathAuthor Commented:
Hi I already have this in the GPO set but the users are still able to stop the process but services is restricted....
0
 
kumarnirmalCommented:
have you checked the RSOP.msc result on those computers, the policy might not be applied to that comptuer
0
 
bsharathAuthor Commented:
It has applied... I can see that they have successfull applied as its been done months ago...
0
 
kumarnirmalCommented:
Can you share that particular part of RSOP result
0
 
bsharathAuthor Commented:
haaa a little confused...
Attached 2 screenshots. one is from the AD and other from the Client's Rsop.
AD.JPG
Client.jpg
0
 
kumarnirmalCommented:
Hi ,

I hope the policy is not  applied on that machine because you have configure the permissons on the GPO but in the rsop result it shows as Not Defined, Kindly check with gpresult what are the GPO's applied to the machine.
0
 
kumarnirmalCommented:
Possible cause for GPO not applied.

1. Policy not linked with OU
2. Computer not in same OU
3. Another Policy setting in the top level for the same configuration.

0
 
remmett70Commented:
What is the reason that the user has local admin in the first place?  
0
 
bsharathAuthor Commented:
Local Admin permissions is a mistake done by my previous management guys... Will change it soon...
Ok about the GPO. Just below the Domain name in the GPMC i have this policy displayed. Now how can i find which all OU's are affected by this GPO
0
 
kumarnirmalCommented:
Open the "GPMC" console and select that particular policy in the right side panel you can find a tab called "scope" this will list the OU's where this policy linked to it

0
 
bsharathAuthor Commented:
I cannot find any option as scope...
0
 
kumarnirmalCommented:
You can access it another way

Select the OU where that client computer is located right click and go to "Properties", you can find a tab called "Group Policy"

You can find all the GPO's linked to that OU there , select the correct GPO
0
 
bsharathAuthor Commented:
I can see all Ou's and GPO's in the GPMC but the policy that involves this GPO is in the top most of the OU structure...
Will that inherit till the bottom?
0
 
kumarnirmalCommented:
Yes it will, but to isolate this issue move the computer a new OU and link that particular GPO to the OU,

Try restart the computer and then check RSOP.MSC and gpresult
0
 
remmett70Commented:
Excuse me if I am wrong.  But all this work with GPOs is in an attempt to prevent users from being able to stop services/Processes because they are Local admins when they shouldn't be because of previous management.

To me this seems like a lot of effort when the solution is to remove the users from being Local Admins in the first place.  Once that is done this GPO will no longer be needed.
0
 
bsharathAuthor Commented:
remmett70
Thank change is not going to happen in the near future...
So until then if this could be a solution then it would be very useful....
0
 
Donald StewartNetwork AdministratorCommented:
As long as a user is a local admin, no matter what you do they will be able to circumvent this one way or another. There is absolutely no way of getting around this other than removing them from the local admins.
0
 
WolfhereCommented:
There is a way, through Policy. They are stopping the service through Ctrl-Alt-Del and task manager, right? Remove access to task manager for stopping the service. (User Configuration>Administrative template>SystemLCtrl+Alt+Del Options and enable Remove Task Manager). I do not know about Sophos as far as management (SAVAdmin?) goes, but through enterprise Symantec AV, you can lock the Autoprotection on or allow some time before it turns back on. You should also be able to restrict whether the client icon show up in the tray at all.
0
 
Donald StewartNetwork AdministratorCommented:
I'll GUARANTEE that what ever group policy you try to force on a local admin, can be easily removed/altered.
0
 
MightySWCommented:
Yes, because they have access to the registry.  This administrative right over the GPO's will be temporary but as that guy dsteweyyaryt said, they can defeat anything they want until the GPO (user/computer) reapplies.  

I would even imagine that this guy dstewaasfd...whatever his name is, even has a neat little tool that will allow him to turn off all GP's applied to his profile at anytime.

HTH
0
 
Donald StewartNetwork AdministratorCommented:
0
 
MightySWCommented:
This dude, dsa..whoever he is, has just thrown down the Guarantee gauntlet and has survived!
0
 
chuckyhCommented:
This is what happens when the OP doesn't believe the first answer and someone else makes an attempt at futility to appease the OP. Thus we all take a ride down the yellow brick road.
0
 
Donald StewartNetwork AdministratorCommented:
Yup, and then someone like myself or mightysw has to come along and steer them back on the right path.
0
 
MightySWCommented:
You guys crack me up.
0
 
JimInLakelandCommented:
Let them have local admins, but strip their rights on any network resources. To allow them the network resources again, tell them they need to give up their local admins because by stopping the antivirus, they are posing a security risk to your network.
0
 
Donald StewartNetwork AdministratorCommented:
I have to object to the accepted answer, as any knowledgeable admin will know there is no way you can achieve this without removing the user from the local admin group.
0
 
bsharathAuthor Commented:
Hi All... Please give me a recommendation on which is to be closed. As None of the solutions solved my issue due to Admin priveledges on the local machines. I selected all comments as solutions as all helped me understand that its not possible...
Sorry for that if thats not the right way....

0
 
Donald StewartNetwork AdministratorCommented:
"I selected all comments as solutions as all helped me understand that its not possible..."
Accepting "No" for an answer is the answer. It's not all the time that you  get the answer you want to hear.
 
Recommend accepting ID:24869294 as the answer and ID:24872356 as an assist.
 


0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 9
  • 8
  • 6
  • +5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now