• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 89
  • Last Modified:

Restricting Domain Admin Accounts

Hi,

We have IT and dev folks who currently are local administrators of their own systems.  We are looking to lock this down with standard user accounts as their main account and have a secondary admin account to use for administrative work.  

With that said, we would like for people to use this secondary admin account to do "run as" etc, but want to make sure to prevent users from trying to log onto machines locally with this admin account to use as their main account.

Can this be done?

Thanks.
0
mesadmin
Asked:
mesadmin
  • 2
2 Solutions
 
McKnifeCommented:
No.
Running a program with different credentials interactively would have to be allowed - but that implies to have the privilege to logon locally, sorry.
Look at 3rd party software (privilege manager) or simply enforce and trust UAC
0
 
Guy Hengel [angelIII / a3]Billing EngineerCommented:
I've requested that this question be deleted for the following reason:

Not enough information to confirm an answer.
0
 
McKnifeCommented:
I object.
Surely my comment has covered the facts and concluded: it's not possible, at least not if we assume the users want to abuse it.

If we however assume that users are nice and not technically savvy, yes, then there's even a way to prevent local logons: https://www.experts-exchange.com/articles/24599/Free-yourself-of-your-administrative-account.html holds it at the end: we can trigger account deactivation when users try to switch to the logon screen by using scheduled tasks as outlined.
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now