We help IT Professionals succeed at work.

Disallow group policy actions on local computer joined to domain

517 Views
Last Modified: 2014-01-19
Assuming we have a domain user acccount and the account is part of local Administrators group, post joining a Windows 7 Ent desktop to a 2003 domain, there is a need to accomplish the following:

- Disallow creation / addition of any other service or individual domain users / groups via Domain Admins and related group policies settings within AD.

Can this be accomplished using local windows firewall or group security policy settings to override domain administered policies ?
Comment
Watch Question

Is this user account a member of the local administrators on the Windows 7 box?  If so, the account only has broad privileges on the local windows 7 machine.
Krzysztof PytkoSenior Active Directory Engineer
CERTIFIED EXPERT
Top Expert 2012

Commented:
I'm not sure if I understood you correctly but if this is regular user in the domain and only local administrator on your Windows 7 machine then this is not possible by deafult. Regular users cannot create/change/delete anything in a domain when they have no delegated rights for that.

User added into local administrators may only create local group/users on that Windows 7 machine only. And it is not possible to limit that user to not create local users/groups because he/she is a local administrator :) So, the only one option is to remove it from local administrators group

Regards,
Krzysztof

Author

Commented:
BT: Yes, the user account is a member of local admin on Win 7 box. The account should have broad previleges on local Win 7 machine and that's not an issue. The issue is, no one else should be able to add himself/ herself into the local admin group, not even those who have domain admin rights as the machine is part of and attached to domain. How can this user prevent domain admins from giving themelves or other domain users, elevated previleges on this machine.

iSeik: As related previously as an answer to BT's query, the need is to stop everyone across the IT system admins to do anything on this Win7 laptop without it's owners knowledge / explicit approval while keeping him attached to domain.


Basically, there is a laptop holding confidential info, that needs to be attached to domain but restricted from making changes applicable via domain wide group policy and even out of bounds from domain admins.

Local admin rights to be retained by machine owner who is also a domain user but added into local admin group and that's fine.
Senior Active Directory Engineer
CERTIFIED EXPERT
Top Expert 2012
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION
In the long run, I don't think you can do what you are looking for.  You can use the group policy to manage the membership of the local admin, but the domain admins have the ability to alter group policy.  The group policy solution works if you are keeping honest people honest.
CERTIFIED EXPERT
Distinguished Expert 2019
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Author

Commented:
Detlef: Your links seems promising, especially first one. The other one talks about certain scripts which probably are available only to university's staff members.

BT: I guessed that but thought there still maybe a way out hence I asked.

Mcknife: Disconnecting from domain is an option but I wouldn't want the user to loose out on his ability to print to domain authenticated printers and the user is a frequent traveller. Also, DHCP is AD integrated and the user doesn't get a valid IP that allows him into the right subnet and access email servers, AV servers etc., unless authenticated to domain.

iSeik: Will test the links out, can you re-confirm if your solution cannot be overidden by domain admins?
Krzysztof PytkoSenior Active Directory Engineer
CERTIFIED EXPERT
Top Expert 2012

Commented:
No, it can be. Domain Admins is one of the most powerful groups in the domain. They will always be able to modify GPO

I would consider AD RMS if you have confidential data on that notebook and provide certificate only to those people who need an access to read/modify documents. Only in this case Domain Admins will not be able to do anything with data

Krzysztof
If you main concern in the long run is monitor who, what and when changes are made in AD, the I suggest to invest in a enterprise wide monitor solution like Quest Change Auditor for Active Directory. When you it at my company and it is a "priceless" tool...

http://www.quest.com/changeauditor/

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.