bowl443, on 24 January 2013 - 22:06, said:
Windows 2008 domain with domain controllers running '08 R2.
We had user today add themselves as a local admin, giving himself full rights to that machine on a Windows 7 machine.
How can I prevent this with a GPO?
Group Policy Preferences. This will properly layer over multiple GPO's targeting the same group.
Computer Configuration\Preferences\Control Panel Settings\Local Users and Groups.
Create a "New Local Group" and from the drop down caret under Group name: select "Administrators (built-in)
Checkmark "Delete all member users"
Checkmark "Delete all member groups"
Now select the "Add" and then "..." buttons to query for domain groups or user objects. Do not type in the Name: field manually unless you are defining a local computer user or group object that will still be a member, otherwise you may not properly attach the domain object SID to the GPP. You may wish to add the local computer "Administrator (built-in)" user to this group.
Under the Common tab you should select "Remove this item when it’s no longer applied." and select "No" so that all members added to the group are removed when the GPO no longer is used against the computer. Beware that if you do not have a higher level GPO that automatically adds a local Administrator to this group that it is possible to remove all Administrators from a computer.
Beware on using "Delete all local users" against servers. You will discover scenarios where your GPO will cease to function on servers containing certain roles (I believe it involves the Configuration Manager agent being present), and then you may have almost everyone trapped out of the server until you create a lower level GPO that fixes the issue and wait for your GPO refresh timer to execute. In this particular case if you need to control local users, have a parent GPO control removal, and a layered GPO control the actual members. It'll scream at you in the event logs when Delete all local users fails to function.
If you do this, even if someone adds an account to the Administrators group, your next GPO refresh will undo the change. If someone adds a user to the group while the machine is offline, the GPO refresh at startup will likely remove the user from the group before or during logon. People who know how to launch PowerShell under the System context of the Logon screen however will be able to defeat this GPO. If you really want to prevent offline attacks, use BitLocker, but BitLocker will not defend against an online attack that enables a CLI to work at the logon screen.
As I recall, this GPP has no effect against built-in groups on Domain Controllers.