Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Group Policy - How Do I Lock Down Local Administrator Accounts?

Status
Not open for further replies.
MattyP1983

MattyP1983

Technical User
Mar 8, 2005
1
GB
Hi All,
I currently work for a medium/large company and was wondering if possible to lock down local administrator accounts via group policy. We seem to have people messing around with their passwords on a regular occasion and i would love to stop is all, all input on this would be great received.

Many Thanks, In desperate need.

Matt
 
Sort by date Sort by votes
Matt, I believe I am reading this as; all of your users have domain admin rights. Is this correct? Or; that all of your users have local admin rights. Is that correct?

If they are using local accounts you need to change this if you have a domain controller. Do not allow your users to have local admin rights. That is if you expect to maintain control of your environment.

Please advise so I know how to direct you.
 
Upvote 0 Downvote
Ya, its called "don’t give them administration privileges" haha lol

When you create a new user, you add permissions to that account via a users group. I would suggest making a group, and adding user permissions to that group that you want your users to have. Then i would suggest making an OU "organizational unit" and then setting GP for that OU...

I would also invest in software called fortress 101 if your going to be working with a large/med sized network.


anyway, yes, you can make your GP on an OU then you can restrict groups as shown in this screen cap i made..

rg.gif
 
Upvote 0 Downvote
was wondering if possible to lock down local administrator accounts via group policy. We seem to have people messing around with their passwords on a regular occasion
Click to expand...

As noted above, administrators are administrators. You can't lock down an admin. You can't prevent an admin from changing the password on any of the accounts local to the particular box they are an admin on.

Users should never be local administrators. Yes there are many poorly written apps that require admin rights, but they can be worked around by using regmon, filemon and runas. Making everyone an admin on their box leads to the problems you are posting about, but it also substantially increases the risk for a virus/spyware/malware/worm outbreak.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

DrB0b
  • Locked
  • Question
Windows 2016 IIS FTP server with a ton of user accounts
Replies
4
Views
289
DrB0b
DrB0b
tscstl
  • Locked
  • Question
access to local folder
Replies
1
Views
128
hairlessupportmonkey
hairlessupportmonkey
ravalos
  • Locked
  • Question
Problem with PDFs in IIS
Replies
1
Views
493
gbaughma
gbaughma
goombawaho
  • Locked
  • Question
Domain join from wifi connected laptop
Replies
4
Views
389
goombawaho
goombawaho
DrB0b
  • Locked
  • Question
HyperV trying to do extended replica to external HDD
Replies
0
Views
80
DrB0b
DrB0b

Part and Inventory Search

Sponsor

Back
Top