Matthew, Preventing users from creating local accounts: 1. Don't make their domain user accounts members of the local administrators group.
2. I believe with Group Policy you can create accounts and set the passwords on the new account or existing accounts. (I haven't tested this though..) If they really need a local admin level account, a compromise might be to give them a highly restricted local admin account with which they can install software, change settings. - but no internet, LAN resources, etc... Ty ----- Original Message ----- From: Matthew Perry [mailto:[email protected]] Sent: Friday, May 20, 2011 01:06 PM To: PaulDotCom Security Weekly Mailing List <[email protected]> Subject: Re: [Pauldotcom] local windows accounts "personal preference and credential compartmentalization" was the answer I got. My issue is getting management to back me right now. Also is there a group policy setting to keep users from creating local accounts? On Friday, May 20, 2011, Joel Esler <[email protected]> wrote: > Ask them why. Then report back. Most likely they don't need what they are > asking. > > On May 20, 2011, at 1:24 PM, Matthew Perry wrote: > >> I have a few users who insist that they need a local account on their domain >> laptops. I am trying to explain to them that their password will cache and >> allow them to login while not on the network. It also looks like local >> accounts bypass a lot of our group policy rules that we have put in place >> and I do not want to have to manage local policies as well. Can anyone give >> me some more good reasons why it is bad to use a local account instead of a >> domain account. >> >> Thanks! >> >> -- >> Matthew Perry >> _______________________________________________ >> Pauldotcom mailing list >> [email protected] >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > -- Matthew Perry _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
