Take a look at this blog post: http://www.grouppolicy.biz/2010/01/how-to-use-group-policy-preferences-to-secure-local-administrator-groups/
Specifically step 7 & 8 – On startup all manually added administers will be removed. To enable local users to run as administrators we’ve created an AD Security group named “%DomainName%\%ComputerName%_administrators” which we add to the local administrators group (if the group is present). In regards to your bonus question you can use Applocker to block users from running mmc.exe. That being said if you give a user administrative access all protection you add can be circumvented, the user will be able to disable the group policy client and thereby the administrators group won’t be reset on startup. A better solution would be to figure out why the program needs administrative access. Sometimes programs needs write access the program folder ie. C:\Program Files\Some Program\, Program Files a only writeable for administrators, would a solution be the give the user write access to the program folder? A program like PowerBrokwer* might be a solution. * http://www.beyondtrust.com/Products/PowerBrokerforWindows/ Med venlig hilsen / Kind regards Henrik Bierbum Bacher System- og supportmedarbejder Direkte: +45 3374 8046 E-mail: [email protected] PensionDanmark Langelinie Allé 41 DK-2100 København Ø Telefon: +45 3374 8000 Fax: +45 3374 8080 E-mail: [email protected]<mailto:[email protected]> Web: pension.dk<http://pension.dk/> [cid:[email protected]] [cid:[email protected]]<https://www.linkedin.com/company/pensiondanmark>[cid:[email protected]]<https://twitter.com/pensiondanmark> üTænk på miljøet, før du printer denne mail og/eller de vedhæftede dokumenter. / Please consider the impact on the environment before printing this e-mail and/or the attachment(s) From: [email protected] [mailto:[email protected]] On Behalf Of Ed Ziots Sent: 27. marts 2015 10:12 To: [email protected] Subject: Re: [NTSysADM] Local Administrators on computers First question why do they need administration rights. Just because they've said so or some app they running isn't working. I agree giving users administration rights on workstations could be an issue. Ed On Mar 26, 2015 1:40 AM, "Freddy Grande" <[email protected]<mailto:[email protected]>> wrote: How does everyone handle users needing local administrator rights? We have some field users that require local admin, at the moment their domain accounts have local administrator rights on their computers, however, this can be dangerous if they run everything as admin. I’ve been wanting to create local admin accounts on computers that require it, set a unique password to these and deny local/interactive logon so they are only to be used for elevation. Ideally all of this should be controlled through GPO or similar method to prevent users changing passwords to something weak. I’m not finding an easy way to refer to local accounts in GPO though so I’m thinking scripting is going to be the only way to go… any thoughts or ideas? Bonus: how would you prevent a user from launching an elevated Computer Management console and adding their domain user accounts to the Administrators group? Freddy ________________________________ Bemærk Denne e-mail og vedhæftede filer er alene forbeholdt den person eller enhed, som e-mailen er stilet til. E-mail og vedhæftede filer kan indeholde personlige og fortrolige oplysninger. Er du ikke den rette modtager, bedes du bemærke, at enhver udbredelse, distribution eller kopiering er forbudt. Har du modtaget denne e-mail ved en fejl, bedes du underrette afsender om det straks og derefter slette e-mail og vedhæftede filer fra dit system. Disclaimer This transmission is intended solely for the person or entity to whom it is addressed. It may contain privileged and confidential information. If you are not the intended recipient, please be notified that any dissemination, distribution or copying is strictly prohibited. If you have received this transmission by mistake, please let us know and then delete it from your system.
