Solved

Local Admin User -- deny additional local admins ?

Posted on 2016-08-09
6
64 Views
Last Modified: 2016-08-12
How can I do something like the below "DESIRED"
solution without allowing step #6+ to happen since
I want to FORCE users to login as POWERUSER when doing
installs to help prevent accidentally installing
something without being aware of it (i.e. virus) ?

Server = Windows Server 2012 R2 with AD
Client = Windows 10 Pro
--------------------------------------------------------------------------------------------------
Current
 1. user gets error message when
    trying to install something
 2. user calls me
 3. I DameWare into machine
 4. I login to Windows 10 Pro as me
 5. I do the install
--------------------------------------------------------------------------------------------------
Desired
 1. user gets error message when
    trying to install something
 2. user logs into Windows 10 Pro
    as "USER=POWERUSER, PASS=something"
 3. user does install
 4. user logs back into
    their regular account
 5. install works
 6. user does above desired step #2 again,
    doing the below to grant their
    USER=LastNameFirstInitial ADMIN
    rights all the time
       ** Control Panel
       ** Administrative Tools
       ** Computer Management
       ** Local Users and Groups
       ** Groups
       ** Administrators
       ** Add
       ** USER=LastNameFirstInitial
0
Comment
Question by:finance_teacher
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 6

Accepted Solution

by:
jpquonce earned 250 total points
ID: 41749103
Have them hold shift and right click the executable and do RUN AS DIFFERENT USER. Then put in USERNAME and PASSWORD of your desired power user credentials.
0
 

Assisted Solution

by:finance_teacher
finance_teacher earned 0 total points
ID: 41749160
The above solution does not disallow above step #6+

How can I setup an account that disallow above step #6+ ?
0
 
LVL 6

Assisted Solution

by:jpquonce
jpquonce earned 250 total points
ID: 41749183
Try adding a GPO for their USER to disable it and see if that works:
 User Configuration\Administrative Templates\ Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins-> disable Computer Management

There is also disable Local Users and Groups
0
Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 5

Assisted Solution

by:Jambon316
Jambon316 earned 250 total points
ID: 41749969
yeah take them out of the local admin group
0
 
LVL 5

Assisted Solution

by:Jambon316
Jambon316 earned 250 total points
ID: 41749981
looking at this again, if a user account has rights to install stuff then it won't stop malware installs, install rights are install rights , the system can't tell the difference between dodgy software and good software.

strictly speaking , your current method is kind of best practice...
>user needs software
> user contacts admin
>admin can tell good from bad and then installs if good
>users are users and should not be admin

how much software do your users want installed anyhow? surely they'd have established line of business software installed and after that very little else ... or trouble will surely follow generally...everytime I've seen all users getting admin rights on the network, generally cryptovariant attack will inevitably follow and devastate due to the increased rights of the infected.

I know it seems like a pain, but your current method is better.
0
 
LVL 5

Assisted Solution

by:Jambon316
Jambon316 earned 250 total points
ID: 41749989
or try SCCM as a solution - bit of a task installing and configuring initially but software deployment is so easy once it's working... usually 2 or 3 clicks gets a program installed where it should be , no fuss. Loved being an admin on it, but never installed and configured it though.

worth looking into though if this is an issue
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Issue: One Windows 2008 R2 64bit server on the network unable to connect to a buffalo Device (Linkstation) with firmware version 1.56. There are a total of four servers on the network this being one of them. Troubleshooting Steps: Connect via h…
This script can help you clean up your user profile database by comparing profiles to Active Directory users in a particular OU, and removing the profiles that don't match.
This tutorial will walk an individual through the process of configuring basic necessities in order to use the 2010 version of Data Protection Manager. These include storage, agents, and protection jobs. Launch Data Protection Manager from the deskt…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question