Not allowing Domain admins to log on to workstations

By ·

I was wondering if anyone knew a policy to deny domain admins from logging on to workstations with their domain admin account. Too many problems have happened like this, since they have too much access on the domain, and can spread any virus and so on.

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -


by p.j.hutchison In reply to Not allowing Domain admin ...

You can use the Restricted GRoups policy in your staff PC OUs to determine which groups or users are members of the local Administrators group.

Collapse -

Not allowing Domain admins to log on to workstations

by In reply to Policy

Thanks, I dont think that it will quite do it. I dont see how it can prevent them from using the workstation. Maybe a script that if they log on to a workstation and are a member of the domain admins group it will automatically log them off. ?

Collapse -

Deny login access

by p.j.hutchison In reply to Not allowing Domain admin ...

You can use Group Policy to deny access to groups of users:

Computer Configuration, Windows Settings, Security Settings, Local Policies, User Rights Assignment

Deny logon locally and add the appropiate user groups

(be VERY careful where you apply this policy as you can lock out your administrators from the entire domain!).

Collapse -

This is a bit Goofy

by IC-IT In reply to Not allowing Domain admin ...

It is certainly a sad state of affairs when Domain Admins can't be trusted to logon to a local computer.
Perhaps the best answer may be to fire those members and hire some professionals?

Collapse -

I'm with bwilmot... goofy idea to restrict domain admins

by CG IT In reply to This is a bit Goofy

domain admins are supposed to have complete access to the network including workstations to do their job. Why have someone assigned to an admin user group when clearly they don't belong in that group if you must limit their network access.

Collapse -

Strange indeed

by lowlands In reply to This is a bit Goofy

And whatever you do to limit Domain Admins access, they'll have the permissions to either bypass or undo the measures you put in place. Which is kind of the idea of being a Domain Admin.

Now I can see you'd enforce the best practice of not logging in with an account with elevated priviliges. But other than hammering some common sense into them, doing some auditing and maybe follow that up with a stern talking to.

edit: typo's are a pain

Collapse -

Microsoft's idea

by In reply to Strange indeed

See this is microsofts idea. For admins to have 2 accounts, and the one they use for their everyday workstation where they have internet on etc, they can use a non domain admin account. And for all admins tasks they can remote to the servers or use a admin pc which they also have. Its kind of to prevent various viruses and junk spreading over the network.

Collapse -

Still needed

by IC-IT In reply to Microsoft's idea

It is a good idea for them to have a second account, but dependant upon the tools/utilities being run from the server, domain admins still need to be in the local admin group.

Collapse -

Very true

by In reply to Still needed

Yes, very true, and they do. But only for workstations. On the servers they can login using their domain admin account. . I think i have something though. A GPO linked to the OU with domain admins in it, Then a logon script which will run the shutdown command, with the logoff string.
Ofcourse the script is only on the local computers, and not on the servers.

Related Discussions

Related Forums