[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 75
  • Last Modified:

Local Admin User -- deny additional local admins ?

How can I do something like the below "DESIRED"
solution without allowing step #6+ to happen since
I want to FORCE users to login as POWERUSER when doing
installs to help prevent accidentally installing
something without being aware of it (i.e. virus) ?

Server = Windows Server 2012 R2 with AD
Client = Windows 10 Pro
--------------------------------------------------------------------------------------------------
Current
 1. user gets error message when
    trying to install something
 2. user calls me
 3. I DameWare into machine
 4. I login to Windows 10 Pro as me
 5. I do the install
--------------------------------------------------------------------------------------------------
Desired
 1. user gets error message when
    trying to install something
 2. user logs into Windows 10 Pro
    as "USER=POWERUSER, PASS=something"
 3. user does install
 4. user logs back into
    their regular account
 5. install works
 6. user does above desired step #2 again,
    doing the below to grant their
    USER=LastNameFirstInitial ADMIN
    rights all the time
       ** Control Panel
       ** Administrative Tools
       ** Computer Management
       ** Local Users and Groups
       ** Groups
       ** Administrators
       ** Add
       ** USER=LastNameFirstInitial
0
finance_teacher
Asked:
finance_teacher
  • 3
  • 2
6 Solutions
 
jpquonceCommented:
Have them hold shift and right click the executable and do RUN AS DIFFERENT USER. Then put in USERNAME and PASSWORD of your desired power user credentials.
0
 
finance_teacherAuthor Commented:
The above solution does not disallow above step #6+

How can I setup an account that disallow above step #6+ ?
0
 
jpquonceCommented:
Try adding a GPO for their USER to disable it and see if that works:
 User Configuration\Administrative Templates\ Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins-> disable Computer Management

There is also disable Local Users and Groups
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
Jambon316Commented:
yeah take them out of the local admin group
0
 
Jambon316Commented:
looking at this again, if a user account has rights to install stuff then it won't stop malware installs, install rights are install rights , the system can't tell the difference between dodgy software and good software.

strictly speaking , your current method is kind of best practice...
>user needs software
> user contacts admin
>admin can tell good from bad and then installs if good
>users are users and should not be admin

how much software do your users want installed anyhow? surely they'd have established line of business software installed and after that very little else ... or trouble will surely follow generally...everytime I've seen all users getting admin rights on the network, generally cryptovariant attack will inevitably follow and devastate due to the increased rights of the infected.

I know it seems like a pain, but your current method is better.
0
 
Jambon316Commented:
or try SCCM as a solution - bit of a task installing and configuring initially but software deployment is so easy once it's working... usually 2 or 3 clicks gets a program installed where it should be , no fuss. Loved being an admin on it, but never installed and configured it though.

worth looking into though if this is an issue
0

Featured Post

Veeam and MySQL: How to Perform Backup & Recovery

MySQL and the MariaDB variant are among the most used databases in Linux environments, and many critical applications support their data on them. Watch this recorded webinar to find out how Veeam Backup & Replication allows you to get consistent backups of MySQL databases.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now