Restrict local admin rights

securitygeek · Jul 26, 2019

Hi,

Wonder if this is possible. Currently GPO is used to push out policy to allow an AD group local admin rights on PC's. The requirement is to further restrict access by using GPO (and possibly restricted groups) so that only the owner of the laptop has local admins to their PC. This needs to also allow centralised management and auditing. Is this even possible?

Thanks

Neemobeer · Jul 26, 2019

Perhaps but that would be a bad idea to have only one account have admin rights on a system.

securitygeek · Jul 26, 2019

IT will have local admin rights also, but this is more from a user perspective. There's a separate group for IT.

Neemobeer · Jul 26, 2019

Just restrict who is in the administrators group

securitygeek · Jul 26, 2019

Neemobeer said:
Just restrict who is in the administrators group

Restricting the group is not the problem, the problem is once they are a member of the group they have local admin access to all PC's because group is assigned to all PC's. We need restrict it to specific PC's only.

Neemobeer · Jul 26, 2019

Oh you want to give the user admin rights? That is a really bad idea. There isn't an easy way to do that besides when the system is setup or some kind of scripted solution.

Restrict local admin rights

securitygeek

New Member

Neemobeer

Cloud Security Engineer

securitygeek

New Member

Neemobeer

Cloud Security Engineer

securitygeek

New Member

Neemobeer

Cloud Security Engineer

Similar threads