Restrict local admin rights

securitygeek

New Member
Joined
Jul 26, 2019
Hi,

Wonder if this is possible. Currently GPO is used to push out policy to allow an AD group local admin rights on PC's. The requirement is to further restrict access by using GPO (and possibly restricted groups) so that only the owner of the laptop has local admins to their PC. This needs to also allow centralised management and auditing. Is this even possible?

Thanks
 

Neemobeer

Windows Forum Team
Staff member
Joined
Jul 4, 2015
Location
Colorado
Perhaps but that would be a bad idea to have only one account have admin rights on a system.
 

securitygeek

New Member
Joined
Jul 26, 2019
IT will have local admin rights also, but this is more from a user perspective. There's a separate group for IT.
 

securitygeek

New Member
Joined
Jul 26, 2019
Just restrict who is in the administrators group
Restricting the group is not the problem, the problem is once they are a member of the group they have local admin access to all PC's because group is assigned to all PC's. We need restrict it to specific PC's only.
 

Neemobeer

Windows Forum Team
Staff member
Joined
Jul 4, 2015
Location
Colorado
Oh you want to give the user admin rights? That is a really bad idea. There isn't an easy way to do that besides when the system is setup or some kind of scripted solution.
 
Top Bottom