• Status: Solved
  • Priority: Low
  • Security: Public
  • Views: 81
  • Last Modified:

Can you forbid a local administrator from having access to system restore and shadow copies?

I have a computer that runs 24x7 in a remote location. It needs to be logged in as a  local administrator due to a software requirement. Is there a way to prevent specific local admin accounts from deleting system restore points or shadow copies?

I ask due to a crypto-locker that recently affected this computer, which removed system restore points. I would like to prevent it happening again.
Bob Johnson
Bob Johnson
1 Solution
bbaoIT ConsultantCommented:
basically, local admin is local admin, which means it owns the privileges to access everything except those only controlled by the OS core.
you need another user account to do the same thing, with restricted rights comparing to a local admin.
if you have to access the system using this specific user, change the user's type from an admin to a power user instead.
Lee W, MVPTechnology and Business Process AdvisorCommented:
You should probably look at the software you're running and consider changing it or modifying it's requirements.  Often "required" admin rights aren't required if you adjust certain permissions.
One deal with auto-login, auto-lock workstation upon starting the application,
The short answer, no you can not block a local admin from doing what an admin is supposed to do.

If you have access to the software in a test environment, you could using rights assignment explore extending requisite rights to a standard user to make the software run without utilizing an administrative access.
Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Whenever dealing with restricting administrators (local or domain), one should ask can one restrict the owner of a house from doing any task in their house they want? This thread of scenarios can go for ever, give a person your house key, and then try to prevent them from throwing a party when you are away?
William FulksSystems Analyst & WebmasterCommented:
Your problem is not that local admin can remove restore points.

Your problem is that somebody on your network (or possibly that machine) opened an email or attachment that set off a cyptolocker on your network. Were people checking personal email from this machine? If so, that needs to stop ASAP.

Limiting the local admin account will only cause problems later plus, by design, it shouldn't be limited.
Bob JohnsonDirector of ITAuthor Commented:
A couple people got off track from the original question, which was whether or not you could prevent a local admin from deleting shadow copies.

The best answer was to give the person Super user rights and customize those rights to give them access to everything they need, minus access to the shadow copies.
Bob JohnsonDirector of ITAuthor Commented:
This is the best answer.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now