group policy prevent local admin change ip

Windows 2012 R2
Is there any way to prevent local administrator of a member in a domain server to change IP in Group Policy? The local Administrator isnt memeber of any domain admins group.
Who is Participating?
dhoffman_98Connect With a Mentor Commented:
Well, the first answer is that the application that requires that is poorly written. But not that you can do anything about that.

And the second answer is that there is no way with a group policy to prevent a local administrator from being able to change an IP address on a machine, without removing them from the local administrators group... which would then defeat the needs of your application.

Do you often have people logging into a server and then just randomly changing its IP Address?
dhoffman_98Connect With a Mentor Commented:
The only way would be to override the members of the local administrators group, and assuming your local administrator is in the group, it would remove them.

However, that's a terrible idea. You need to keep your local administrator account secure, and keep it a member of the group... for no other reason than worst case scenarios where you can't access the machine from the domain account.

Perhaps you might want to reconsider who has the local administrator credentials, and remove them... preserving access to your local administrator accounts only for emergency purposes.
per-wAuthor Commented:
But what do you do if you have a teminal server for someone and the programs they run need that the user is local admin? I know i could make a new group and find out what permission they need, but the only answer i got is that it need to be local admin (it have something to do with dcom)
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.