Questions

Howto prevent advanced users from removing domain admins

+
0 Votes
Locked

Howto prevent advanced users from removing domain admins

anders_emajl
In my organisation there are several advanced users and an overall need to be local administrator.
I have noticed that some users remove the Domain Admins group from the Local administrators group and use the local account for work and map up network drives.

Any suggestion how to prevent this from happening?
  • +
    0 Votes
    dan.cox

    I don't know about preventing them from deleting it but you can certainly use group policy to ensure it is always there.
    Any time a machine is logged into the domain a group policy can check if that group is there and if not add it. So they can remove it till they are blue in the face. They will eventually stop removing it.

    +
    0 Votes
    anders_emajl

    I know a little about group polycis but not enough to to create this kind of policy, can You give me a help on the road.

    +
    0 Votes
    animatech

    1 way to do this is to create a new GP on the user folder (Or any other folder that these users belong too).
    Then via user configuration > administrative templates > window explorer enable 'remove security tab'.
    Next time they will try to change anything with the folder they will not have the security option available for them.

    +
    0 Votes

    I have a user that adds a bat file to the startup to keep it removed. I work at the state, so I can't use means that most other companies use.

    +
    0 Votes
    kaalvin_singh

    Hi ,

    This is kalvinder,You can implement Computer based Group Policy and deny lusrmgr.msc file and put a particular Computer in OU.I hope your problem wud resolved.

    Kalvinder

    +
    0 Votes
    1bn0

    to only those machines that authenticate with the Active Directory.

    If your network infrastructure supports it.

  • +
    0 Votes
    dan.cox

    I don't know about preventing them from deleting it but you can certainly use group policy to ensure it is always there.
    Any time a machine is logged into the domain a group policy can check if that group is there and if not add it. So they can remove it till they are blue in the face. They will eventually stop removing it.

    +
    0 Votes
    anders_emajl

    I know a little about group polycis but not enough to to create this kind of policy, can You give me a help on the road.

    +
    0 Votes
    animatech

    1 way to do this is to create a new GP on the user folder (Or any other folder that these users belong too).
    Then via user configuration > administrative templates > window explorer enable 'remove security tab'.
    Next time they will try to change anything with the folder they will not have the security option available for them.

    +
    0 Votes

    I have a user that adds a bat file to the startup to keep it removed. I work at the state, so I can't use means that most other companies use.

    +
    0 Votes
    kaalvin_singh

    Hi ,

    This is kalvinder,You can implement Computer based Group Policy and deny lusrmgr.msc file and put a particular Computer in OU.I hope your problem wud resolved.

    Kalvinder

    +
    0 Votes
    1bn0

    to only those machines that authenticate with the Active Directory.

    If your network infrastructure supports it.