Solved

For a user who has Local Admin permissions is there a way to stop him from stopping a process.?

Posted on 2009-07-16
34
360 Views
Last Modified: 2012-05-07
Hi,

For a user who has Local Admin permissions is there a way to stop him from stopping a process.?
I have few Antivirus services which users stop. So is there a way to deny such processs being stoped on machines where users have local Admin permissions.

REgards
Sharath
0
Comment
Question by:bsharath
  • 9
  • 8
  • 6
  • +5
34 Comments
 
LVL 18

Accepted Solution

by:
chuckyh earned 250 total points
ID: 24869294
No, even if you somehow change his permissions, he can change them back since he's local admin.
0
 
LVL 11

Author Comment

by:bsharath
ID: 24869309
Ok but is there a way...?
0
 
LVL 7

Expert Comment

by:kumarnirmal
ID: 24869315
Yes you can achieve this using GPO

Go to - Computer Configuration -> Windows Settings -> Security Settings -> System Services and select the service which you want to restrict and right click on it go to "Properties"

check the box on "Define this Policy Setting" set the start up type to "Automatic" and GO TO "Edit Security"

Remove the "Administrator" Group and the "Domain Admin" or the group which you want to gave access to the service with Full Control permission

now event the user member of local admin group he wont able to start or stop the service , only domain admin group have the access to that service.




0
 
LVL 11

Author Comment

by:bsharath
ID: 24869389
Hi I already have this in the GPO set but the users are still able to stop the process but services is restricted....
0
 
LVL 7

Expert Comment

by:kumarnirmal
ID: 24869400
have you checked the RSOP.msc result on those computers, the policy might not be applied to that comptuer
0
 
LVL 11

Author Comment

by:bsharath
ID: 24869444
It has applied... I can see that they have successfull applied as its been done months ago...
0
 
LVL 7

Expert Comment

by:kumarnirmal
ID: 24869469
Can you share that particular part of RSOP result
0
 
LVL 11

Author Comment

by:bsharath
ID: 24869615
haaa a little confused...
Attached 2 screenshots. one is from the AD and other from the Client's Rsop.
AD.JPG
Client.jpg
0
 
LVL 7

Expert Comment

by:kumarnirmal
ID: 24869658
Hi ,

I hope the policy is not  applied on that machine because you have configure the permissons on the GPO but in the rsop result it shows as Not Defined, Kindly check with gpresult what are the GPO's applied to the machine.
0
 
LVL 7

Expert Comment

by:kumarnirmal
ID: 24869673
Possible cause for GPO not applied.

1. Policy not linked with OU
2. Computer not in same OU
3. Another Policy setting in the top level for the same configuration.

0
 
LVL 10

Expert Comment

by:remmett70
ID: 24869692
What is the reason that the user has local admin in the first place?  
0
 
LVL 11

Author Comment

by:bsharath
ID: 24869745
Local Admin permissions is a mistake done by my previous management guys... Will change it soon...
Ok about the GPO. Just below the Domain name in the GPMC i have this policy displayed. Now how can i find which all OU's are affected by this GPO
0
 
LVL 7

Expert Comment

by:kumarnirmal
ID: 24870325
Open the "GPMC" console and select that particular policy in the right side panel you can find a tab called "scope" this will list the OU's where this policy linked to it

0
 
LVL 11

Author Comment

by:bsharath
ID: 24870388
I cannot find any option as scope...
0
 
LVL 7

Expert Comment

by:kumarnirmal
ID: 24870640
You can access it another way

Select the OU where that client computer is located right click and go to "Properties", you can find a tab called "Group Policy"

You can find all the GPO's linked to that OU there , select the correct GPO
0
 
LVL 11

Author Comment

by:bsharath
ID: 24870804
I can see all Ou's and GPO's in the GPMC but the policy that involves this GPO is in the top most of the OU structure...
Will that inherit till the bottom?
0
Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

 
LVL 7

Expert Comment

by:kumarnirmal
ID: 24870869
Yes it will, but to isolate this issue move the computer a new OU and link that particular GPO to the OU,

Try restart the computer and then check RSOP.MSC and gpresult
0
 
LVL 10

Expert Comment

by:remmett70
ID: 24871034
Excuse me if I am wrong.  But all this work with GPOs is in an attempt to prevent users from being able to stop services/Processes because they are Local admins when they shouldn't be because of previous management.

To me this seems like a lot of effort when the solution is to remove the users from being Local Admins in the first place.  Once that is done this GPO will no longer be needed.
0
 
LVL 11

Author Comment

by:bsharath
ID: 24871219
remmett70
Thank change is not going to happen in the near future...
So until then if this could be a solution then it would be very useful....
0
 
LVL 47

Assisted Solution

by:Donald Stewart
Donald Stewart earned 250 total points
ID: 24872356
As long as a user is a local admin, no matter what you do they will be able to circumvent this one way or another. There is absolutely no way of getting around this other than removing them from the local admins.
0
 
LVL 10

Expert Comment

by:Wolfhere
ID: 24872572
There is a way, through Policy. They are stopping the service through Ctrl-Alt-Del and task manager, right? Remove access to task manager for stopping the service. (User Configuration>Administrative template>SystemLCtrl+Alt+Del Options and enable Remove Task Manager). I do not know about Sophos as far as management (SAVAdmin?) goes, but through enterprise Symantec AV, you can lock the Autoprotection on or allow some time before it turns back on. You should also be able to restrict whether the client icon show up in the tray at all.
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 24872711
I'll GUARANTEE that what ever group policy you try to force on a local admin, can be easily removed/altered.
0
 
LVL 20

Expert Comment

by:MightySW
ID: 24872804
Yes, because they have access to the registry.  This administrative right over the GPO's will be temporary but as that guy dsteweyyaryt said, they can defeat anything they want until the GPO (user/computer) reapplies.  

I would even imagine that this guy dstewaasfd...whatever his name is, even has a neat little tool that will allow him to turn off all GP's applied to his profile at anytime.

HTH
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 24872868
0
 
LVL 20

Expert Comment

by:MightySW
ID: 24872884
This dude, dsa..whoever he is, has just thrown down the Guarantee gauntlet and has survived!
0
 
LVL 18

Expert Comment

by:chuckyh
ID: 24873335
This is what happens when the OP doesn't believe the first answer and someone else makes an attempt at futility to appease the OP. Thus we all take a ride down the yellow brick road.
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 24873372
Yup, and then someone like myself or mightysw has to come along and steer them back on the right path.
0
 
LVL 20

Expert Comment

by:MightySW
ID: 24873975
You guys crack me up.
0
 
LVL 4

Expert Comment

by:JimInLakeland
ID: 24884238
Let them have local admins, but strip their rights on any network resources. To allow them the network resources again, tell them they need to give up their local admins because by stopping the antivirus, they are posing a security risk to your network.
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 24945510
I have to object to the accepted answer, as any knowledgeable admin will know there is no way you can achieve this without removing the user from the local admin group.
0
 
LVL 11

Author Comment

by:bsharath
ID: 24948605
Hi All... Please give me a recommendation on which is to be closed. As None of the solutions solved my issue due to Admin priveledges on the local machines. I selected all comments as solutions as all helped me understand that its not possible...
Sorry for that if thats not the right way....

0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 24951692
"I selected all comments as solutions as all helped me understand that its not possible..."
Accepting "No" for an answer is the answer. It's not all the time that you  get the answer you want to hear.
 
Recommend accepting ID:24869294 as the answer and ID:24872356 as an assist.
 


0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ever notice how you can't use a new drive in Windows without having Windows assigning a Disk Signature?  Ever have a signature collision problem (especially with Virtual Machines?)  This article is intended to help you understand what's going on and…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now