?
Solved

Restricting Domain Admin Accounts

Posted on 2014-04-03
4
Medium Priority
?
85 Views
Last Modified: 2016-05-31
Hi,

We have IT and dev folks who currently are local administrators of their own systems.  We are looking to lock this down with standard user accounts as their main account and have a secondary admin account to use for administrative work.  

With that said, we would like for people to use this secondary admin account to do "run as" etc, but want to make sure to prevent users from trying to log onto machines locally with this admin account to use as their main account.

Can this be done?

Thanks.
0
Comment
Question by:mesadmin
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 56

Accepted Solution

by:
McKnife earned 2000 total points
ID: 39975799
No.
Running a program with different credentials interactively would have to be allowed - but that implies to have the privilege to logon locally, sorry.
Look at 3rd party software (privilege manager) or simply enforce and trust UAC
0
 
LVL 143

Expert Comment

by:Guy Hengel [angelIII / a3]
ID: 41626227
I've requested that this question be deleted for the following reason:

Not enough information to confirm an answer.
0
 
LVL 56

Assisted Solution

by:McKnife
McKnife earned 2000 total points
ID: 41626228
I object.
Surely my comment has covered the facts and concluded: it's not possible, at least not if we assume the users want to abuse it.

If we however assume that users are nice and not technically savvy, yes, then there's even a way to prevent local logons: https://www.experts-exchange.com/articles/24599/Free-yourself-of-your-administrative-account.html holds it at the end: we can trigger account deactivation when users try to switch to the logon screen by using scheduled tasks as outlined.
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

INTRODUCTION The purpose of this document is to demonstrate the Installation and configuration of the Data Protection Manager product. Note that this demonstration was prepared on the basis of Windows OS is 2008 R2 and DPM 2010. DATA PROTECTI…
Article by: btan
The intent is not to repeat what many has know about Ransomware but more to join its dots of what is it, who are the victims, why it exists, when and how we respond on infection. Lastly, sum up in a glance to share such information with more to help…
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
Suggested Courses

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question