Howto prevent advanced users from removing domain admins

By anders_emajl ·
In my organisation there are several advanced users and an overall need to be local administrator.
I have noticed that some users remove the Domain Admins group from the Local administrators group and use the local account for work and map up network drives.

Any suggestion how to prevent this from happening?

This conversation is currently closed to new comments.

7 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Answers

Collapse -

Group Policy

by dan.cox In reply to Howto prevent advanced us ...

I don't know about preventing them from deleting it but you can certainly use group policy to ensure it is always there.
Any time a machine is logged into the domain a group policy can check if that group is there and if not add it. So they can remove it till they are blue in the face. They will eventually stop removing it.

Collapse -

Group Policy...

by anders_emajl In reply to Group Policy

I know a little about group polycis but not enough to to create this kind of policy, can You give me a help on the road.

Collapse -

Group policy

by animatech In reply to Group Policy...

1 way to do this is to create a new GP on the user folder (Or any other folder that these users belong too).
Then via user configuration > administrative templates > window explorer enable 'remove security tab'.
Next time they will try to change anything with the folder they will not have the security option available for them.

Collapse -

Not Really a good fix for the advanced.

by sendyourgarbagehere In reply to Group Policy

I have a user that adds a bat file to the startup to keep it removed. I work at the state, so I can't use means that most other companies use.

Collapse -

Implement GPO

by kaalvin_singh In reply to Howto prevent advanced us ...

Hi ,

This is kalvinder,You can implement Computer based Group Policy and deny lusrmgr.msc file and put a particular Computer in OU.I hope your problem wud resolved.


Collapse -

May be you should look into restricting newtwork access

by 1bn0 In reply to Howto prevent advanced us ...

to only those machines that authenticate with the Active Directory.

If your network infrastructure supports it.

Back to Networks Forum
7 total posts (Page 1 of 1)  

Related Discussions

Related Forums