Stop users from adding local admins

By bowl443
in Smart Home, Network & Security

 Share

Recommended Posts

Grand Master

sc302 Veteran

Posted
  • Veteran
Posted

You make them a normal user on the computer. That is how you do it. If they use a boot disk to get around it, set a bios password and put security screws on the case so they can't open it. If they continue to break policy it is grounds for termination or removal of computer rights (at least that should be in your policy).

Power users does not allow you to add admins to the computer. You would need to be an admin or a group that has local admin rights. Or a boot disk like the free hirens disk that you can download and boot off of.

Grand Master

+BudMan MVC

Posted
  • MVC
Posted

"We had user today add themselves as a local admin,"

As sc302 mentions "boot disk to get around it, set a bios password"

If I have physical access to the box - I can just boot one of many different tools to change the local admin account password. Log in with that for what I need, or log in with that and then give whatever other account I want local admin as well.

You can not prevent that from happening with a gpo.. The box would have to be setup with a bios password to prevent booting from removable media, be it cd or usb, etc. And you also need to prevent pxe - or I could just boot the tool I need to change the local admin password via pxe if so desired, etc.

  • goretsky and fusi0n
  • Like 2
Collaborator

ITFiend

Posted
Posted

Windows 2008 domain with domain controllers running '08 R2.

We had user today add themselves as a local admin, giving himself full rights to that machine on a Windows 7 machine.

How can I prevent this with a GPO?

Group Policy Preferences. This will properly layer over multiple GPO's targeting the same group.

Computer Configuration\Preferences\Control Panel Settings\Local Users and Groups.

Create a "New Local Group" and from the drop down caret under Group name: select "Administrators (built-in)

Checkmark "Delete all member users"

Checkmark "Delete all member groups"

Now select the "Add" and then "..." buttons to query for domain groups or user objects. Do not type in the Name: field manually unless you are defining a local computer user or group object that will still be a member, otherwise you may not properly attach the domain object SID to the GPP. You may wish to add the local computer "Administrator (built-in)" user to this group.

Under the Common tab you should select "Remove this item when it?s no longer applied." and select "No" so that all members added to the group are removed when the GPO no longer is used against the computer. Beware that if you do not have a higher level GPO that automatically adds a local Administrator to this group that it is possible to remove all Administrators from a computer.

Beware on using "Delete all local users" against servers. You will discover scenarios where your GPO will cease to function on servers containing certain roles (I believe it involves the Configuration Manager agent being present), and then you may have almost everyone trapped out of the server until you create a lower level GPO that fixes the issue and wait for your GPO refresh timer to execute. In this particular case if you need to control local users, have a parent GPO control removal, and a layered GPO control the actual members. It'll scream at you in the event logs when Delete all local users fails to function.

If you do this, even if someone adds an account to the Administrators group, your next GPO refresh will undo the change. If someone adds a user to the group while the machine is offline, the GPO refresh at startup will likely remove the user from the group before or during logon. People who know how to launch PowerShell under the System context of the Logon screen however will be able to defeat this GPO. If you really want to prevent offline attacks, use BitLocker, but BitLocker will not defend against an online attack that enables a CLI to work at the logon screen.

As I recall, this GPP has no effect against built-in groups on Domain Controllers.

  • goretsky, Charisma and Aergan
  • Like 3
Grand Master

sc302 Veteran

Posted
  • Veteran
Posted

Group Policy Preferences. This will properly layer over multiple GPO's targeting the same group.

Computer Configuration\Preferences\Control Panel Settings\Local Users and Groups.

Create a "New Local Group" and from the drop down caret under Group name: select "Administrators (built-in)

Checkmark "Delete all member users"

Checkmark "Delete all member groups"

Now select the "Add" and then "..." buttons to query for domain groups or user objects. Do not type in the Name: field manually unless you are defining a local computer user or group object that will still be a member, otherwise you may not properly attach the domain object SID to the GPP. You may wish to add the local computer "Administrator (built-in)" user to this group.

Under the Common tab you should select "Remove this item when it?s no longer applied." and select "No" so that all members added to the group are removed when the GPO no longer is used against the computer. Beware that if you do not have a higher level GPO that automatically adds a local Administrator to this group that it is possible to remove all Administrators from a computer.

Beware on using "Delete all local users" against servers. You will discover scenarios where your GPO will cease to function on servers containing certain roles (I believe it involves the Configuration Manager agent being present), and then you may have almost everyone trapped out of the server until you create a lower level GPO that fixes the issue and wait for your GPO refresh timer to execute. In this particular case if you need to control local users, have a parent GPO control removal, and a layered GPO control the actual members. It'll scream at you in the event logs when Delete all local users fails to function.

If you do this, even if someone adds an account to the Administrators group, your next GPO refresh will undo the change.

As I recall, this GPP has no effect against built-in groups on Domain Controllers.

The damage is already done at that point. There is no gpo that prevents this.

  • goretsky and fusi0n
  • Like 2
Collaborator

ITFiend

Posted
Posted

The damage is already done at that point. There is no gpo that prevents this.

Depends what the actual story is, which the OP barely gave details on. What I described helps mitigate. (BTW, you responded to my original message prior to a bit of editing)

To prevent offline attacks, the only real "solution" is to manage the machines with BitLocker, a TPM, and Network Unlock.

A BIOS System password is only effect against "some" computers with properly designed firmware. A large majority that I've encountered do not block the F12 (or equivalent) firmware/BIOS boot menus even if a System password is present, including some of Dell's business line machines. Only some actually require authentication if a system password is present. I have some Precision workstations that do intrusion detection great, but only a BIOS user password will prevent a user from calling on the boot menu (and of course block them from using the computer at all without support). I don't believe any vendor is 100% consistent across their motherboard models when it comes to securing its BIOS/Firmware boot menu.

Also, when properly managed, "BitLocker+TPM+Network Unlock" is the better solution than any firmware block or physical lockdown because it requires the end user actually have technical skills. They need to have successful online attacks before an offline attack becomes possible. At this point most failures will be the result of desktop mismanagement.

Obviously it?s a bit trickier on mobile systems, as Network Unlock likely becomes impossible and you have to replace it with +PIN/+USB.

Apprentice

bowl443

Posted
  • Author
Posted

Sorry for the brevity in the OP. I hammered out the question before leaving the office for the day. I probably should have waited until I had all the details before posting. An area tech called me with the problem and the details were vague.

It is my understanding that the user launched the user account applet and made the changes. I was hoping that there was a GPO that disabled access to that particular applet.?.

Thanks for the responses.

When I get to work tomorrow morning I'll set up a test user with the same privilages and try it out and see if I can figure out how he did what he did.

Grand Master

n_K

Posted
Posted

It is my understanding that the user launched the user account applet and made the changes. I was hoping that there was a GPO that disabled access to that particular applet.?.

Then the problem lies with your lack of basic security then, nothing GP will fix - you've set his account up as an admin.

Grand Master

Japlabot

Posted
Posted

Agree with grounds for termination and so on, but also worth pointing out, try and find out what possessed the user to get Admin rights. Did he do it because he is an ass who wants to install some dodgy Facebook games, or is there something wrong with his computer that hasn't been addressed and he was trying to take matters into his own hands to fix it out of frustration?

Grand Master

+BudMan MVC

Posted
  • MVC
Posted

Kaedrin -- are you talking about restricted groups? Seems like a really long explanation of restricted groups to me. Which sure you can restrict who is in your admins group. And yes that is a great idea and normally an audit requirement anyway..

But if I have local admin - its real easy to block gpo being pushed from the domain..

Now sure if you want to go the encrypted route - this can also prevent the boot tools to change the admin account. But normally your not trying to keep out the elite hackers here.. Your keeping billy joe bob from running some boot tool he found on the net, etc.

But yeah if all he did was launch user manager -- then he had rights in the first place. Does someone have domain users in the Domain Admins group ;)

Collaborator

ITFiend

Posted
Posted

Kaedrin -- are you talking about restricted groups?

Restricted Groups is legacy. They have extremely limited functionality compared to GPP Groups, and as I recall cannot be layered across multiple GPO's. Unless the target is a pre-Vista system, GPP Groups should be used instead. I abandoned Restricted Groups entirely once Vista SP1 & 2008 SP1 were released.

Collaborator

eXtermia

Posted
Posted

Even if you set a boot bios password to prevent booting from CD the passwords can usually be reset. However if you enforece bitlocker with the key being backed (with hardware TPM) up to AD and only recoverable from AD admins there is no way they can use any off the street tool to add thierselves as Admin. First they would have to have access to the AD and have rights to view the key. Note Admins can still boot and use the recovery MS DART toolsets and reset passwords or whatever with the recovery key. There is no way the user will be able to boot from cd and give himself admin rights.

There is a small chance of privilege level escalations using say a faulty cisco vpn client allowing the users to get system access and then give themselves root from a running machine. Also there is a small chance they could freeze the memory (actualy temp wise) and read the bitlocker key from an additional machine. However the general user with all his "hacker" tools arent' going to bypass a full system encryption (assuming you have a TPM module in place)

You don't say if you do have a TPM enabled machines or not.

However s/he already OWNS this machine. The only way to ensure they don't give themselves rights again is to re-image. As as long as he or she had admin rights to begin with, they may of installed a system level back door that simply gives the right back even after you removed them from the Admin group.

Do you make them sign an user agreement, or if they do have elevated rights a privledged level access agreement?

Apprentice

bowl443

Posted
  • Author
Posted

A little more detail;

This is at a school district and the kid in quesiton is a seventh grader. He renamed the local admin account and changed its password. Those student accounts are not local admins on the computers. After testing it with an account that we copied from his account, the only way he could have done this is with a bootable device, be it a cd, dvd, or usb drive. Thankfully with the security in place, being a local admin doesn't give him any rights on the network or domain. About the only thing he can do differently is install software locally. After going through his internet search history, he is looking for remote viewing software, specifically TeamViewer. He did not install any software though - maybe the bell rang and he ran out of time?

We're hatching a plan to catch him doing it so that we can nail down his process and figure out how much he knows. Maybe a key logger, or remote viewing software - like VNC. He could have used a product like Ophcrack and now he knows the local admin password on all the campus computers.

In the future we'll set the bios to only boot to the SATA drive and set a password on the bios to prevent changes being made to the boot order.

Any other thoughts/recommendations?

Grand Master

sc302 Veteran

Posted
  • Veteran
Posted

to catch a thief...

http://www.spectorsoft.com

Edit: also on some bios's you can set what devices are allowed to boot from not just boot priority...hitting the option to boot of a different device will yield only what devices you choose (ie, the hard drive).

The other issue is that it is pretty easy to reset this if you can pull the cover off when no one is looking, so putting in a security screw to prevent cover removal without special tools may also help.

Mentor

Karl L.

Posted
Posted

If your admin password is simple enough to be cracked locally by Ophcrack in a reasonable amount of time, that's a huge problem. Presumably you have a descent password policy and that is not the case, so I would rule out the student having access to the local admin password for all the machines.

Also, have you heard of Kon-Boot before? Its an extremely simple (and effective) method for gaining access to virtually any local Windows account, including the admin account. It would allow someone to boot from a disc, login as admin, then change the admin password. One could also login to any domain account that has been established on the local computer (i.e. a domain admin, teacher, or other student who logged in and created a profile on that computer), but since Kon-Boot bypasses the password instead of cracking it, the user won't have access to any domain resources.

Grand Master

majortom1981

Posted
Posted

Depends what the actual story is, which the OP barely gave details on. What I described helps mitigate. (BTW, you responded to my original message prior to a bit of editing)

To prevent offline attacks, the only real "solution" is to manage the machines with BitLocker, a TPM, and Network Unlock.

A BIOS System password is only effect against "some" computers with properly designed firmware. A large majority that I've encountered do not block the F12 (or equivalent) firmware/BIOS boot menus even if a System password is present, including some of Dell's business line machines. Only some actually require authentication if a system password is present. I have some Precision workstations that do intrusion detection great, but only a BIOS user password will prevent a user from calling on the boot menu (and of course block them from using the computer at all without support). I don't believe any vendor is 100% consistent across their motherboard models when it comes to securing its BIOS/Firmware boot menu.

Also, when properly managed, "BitLocker+TPM+Network Unlock" is the better solution than any firmware block or physical lockdown because it requires the end user actually have technical skills. They need to have successful online attacks before an offline attack becomes possible. At this point most failures will be the result of desktop mismanagement.

Obviously it?s a bit trickier on mobile systems, as Network Unlock likely becomes impossible and you have to replace it with +PIN/+USB.

A firmware password would be used to stop the booting off of cd/dvd so they cant boot up a password change dvd

Grand Master

+BudMan MVC

Posted
  • MVC
Posted

"he knows the local admin password on all the campus computers."

While I agree the password should be of significant strength to prevent bruteforce/rainbow tables, etc. You should also not have the same password on every device. They should all be different.

I use to just run a script to change the local admin password on every single machine in the domain. It was a random 20 digit that just dumped out from online password creator - http://www.pctools.com/guides/password/ I just pop these into my script and store in our password log.. Rare that was ever needed, you normally just used your own account that had local rights on all the machines, etc. Only in the case that boxes trust got messed up with the domain or something would you have to use local admin.

This also allowed us to give out local admin in the worse case scenario user was offline and something when wrong where you had to walk him through something with admin rights.. All you gave him was his box, and next time he his box was on the domain you would change it, etc.

Mentor

Karl L.

Posted
Posted

BudMan, that's a really cool idea! None of the companies I have worked for have done that, but they probably should have. That seems like a much better method than generating a strong local admin password that must be changed once every three months. Everyone in IT basically uses their domain admin privileges anyway.

Grand Master

+BudMan MVC

Posted
  • MVC
Posted

we had to change them every 3 months as well ;) Which is why the script!! It unrealistic to think you could change password if you had to touch every machine.. And your going to typo it for sure as well ;)

Might not have been that bad on the 50 some local servers, but not going to do it on the 900 plus user boxes.. And what about laptops that rarely come into the office etc.. Just needed to catch them while they are online via the vpn and 2 seconds there you go their local admin is changed.

Oh they were secure as well -- other guys use to bitch if they ever had to use them, or even the domain admin account which again used random 20.. As you said everyone normally used their personal accounts that had the permissions they needed. But every now and then you would have to break out the domain admin account password from the safe. and **** like this can be a pain to type in #luc&ouk?aqL6#iEwr+e

which is why the phonetics come in real handy ;)

(Hash - lima - uniform - charlie - Ampersand - oscar - uniform - kilo - Question - alpha - quebec - LIMA - Six - Hash - india - ECHO - whiskey - romeo - Plus - echo)

Collaborator

ITFiend

Posted
Posted

A firmware password would be used to stop the booting off of cd/dvd so they cant boot up a password change dvd

As I said, there is no guarantee a motherboard actually secures the boot menu just because you set a firmware password. There is no consistent behavior across motherboards even from Dell. If you have 6+ generations worth of different computers, I?m sure that less than half of them will actually behave the same way. Some will ask for authentication, and some won?t care that there is a password and will simply always allow the boot menu to function.

Grand Master

+BudMan MVC

Posted
  • MVC
Posted

Give an example of something that allows you set a firmware password but does not allow you to lock down the boot, or still allows access to the boot menu.

Remove everything but the hdd from boot option, turn off feature to access boot menu, set password.

Even if the boot menu is available, if you alter the boot options then set a password on the firmware you should be good. I don't recall ever in the 30+ years in working/playing with a computers -- once they starting adding bios passwords ;) Not having the ability to lock out what the computer could boot from.

Shoot most users can not figure out how to change the boot order when firmware is NOT locked ;) Or for that matter press F# the system even flashes on the screen that says to change boot order.. So just the fact of changing the boot order to not boot cd/dvd/usb/pxe before the hard should keep most users from being able to run the boot tools.

This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.

  • Posts

    • Nothing kills CMF Phone 2 Pro's successor due to rising memory prices

      By monterxz · Posted

      As I've been usually saying lately - we all can thank "AI" for this.
    • Windows 11 version 26H2 is now available for testing in the latest preview build

      By +TRS-80 · Posted

      Friday Windows 11 preview builds are here. Insiders in the Experimental (formerly Dev) and Beta Channel can download builds 26300.8697 and 26220.8690. My Windows11 device on the Preview Channel just got 26220.8728. My guess is this build is a nightly update from 26220.8690.
    • Traffic has a surprisingly unexpected impact on your surroundings

      By hellowalkman · Posted

      Traffic has a surprisingly unexpected impact on your surroundings by Sayan Sen Image by Radik 2707 via Pexels A collaborative study by researchers from several Israeli institutions found that everyday pollution from traffic and industrial activity measurably changed the atmospheric electric field over the Tel Aviv metropolitan area, providing new evidence of how human activity can influence the lower atmosphere. The research was led by Dr. Roy Yaniv of the Hebrew University of Jerusalem and the Gertner Institute at Sheba Medical Center, Dr. Assaf Hochman of the Fredy & Nadine Herrmann Institute of Earth Sciences at the Hebrew University, and Prof. Yoav Yair of Reichman University. The study also involved Itay Froomer, a student from Hadera High School and the Israeli Museum of Medicine and Science (Technoda), who carried out the work as part of the Ministry of Education's 5-unit physics research track. The researchers focused on the atmospheric electric field under fair-weather conditions. Even in the absence of storms, a weak electric field naturally exists between Earth's surface and the atmosphere. One of the main ways scientists measure this field is through the Potential Gradient (PG), which is the inverse of the vertical component of the electric field. PG is a key part of the global electric circuit, a planet-wide system of electrical currents maintained by thunderstorms and electrified clouds around the world. Scientists have long known that the atmospheric electric field can be influenced by factors ranging from large-scale atmospheric processes to local weather conditions such as dust, fog and clouds. Human-made pollution is also known to play a role, but understanding exactly how urban emissions affect the electric field close to the ground has remained an area of ongoing research. To investigate this relationship, the team analyzed measurements from a newly installed electric field mill, an instrument used to continuously monitor the strength of the atmospheric electric field. The instrument was installed at the Center for Technological Education (Roter House) in Holon and became operational in August 2024. It was funded by Israel's Ministry of Education and the Holon municipality. The electric field mill forms part of a broader monitoring network that includes nearby meteorological stations and air-quality monitoring sites. This allowed researchers to compare electric field measurements with detailed weather data and pollution records to better understand what was driving changes in the Potential Gradient. The study focused on two major urban pollutants: fine particulate matter (PM2.5) and nitrogen oxides (NOx), both commonly produced by vehicle traffic and industrial activity. PM2.5 refers to microscopic airborne particles small enough to remain suspended in the atmosphere for extended periods, while NOx is a group of gases released during fuel combustion. Researchers examined daily, weekly and seasonal patterns in the atmospheric electric field and compared them with changes in pollutant concentrations. Their analysis revealed a clear relationship between NOx levels and changes in the Potential Gradient, particularly during morning and evening rush hours when traffic emissions were at their highest. “What we observe is a direct physical link between emission peaks and electrical variability,” explained Dr. Roy Yaniv. “NOx reduces atmospheric conductivity very quickly, so the electric field responds almost instantaneously during traffic rush hours.” Atmospheric conductivity describes how easily electrical charges move through the air. According to the researchers, nitrogen oxides rapidly alter this conductivity, causing a near-immediate response in the electric field. PM2.5, however, was associated with a delayed response. The researchers attributed this difference to the particles' longer atmospheric residence time, meaning they remain in the atmosphere for longer periods, as well as their different microphysical interactions with surrounding air and atmospheric components. The study also identified a pronounced "weekend effect." In Israel, traffic volumes and some industrial activity decline significantly on Fridays and Saturdays. During these periods, concentrations of both NOx and PM2.5 dropped, and corresponding changes were observed in the atmospheric electric field. “The weekend signal demonstrates just how sensitive the electric field is to changes in human activity,” the researchers noted. “When emissions decline, the electrical environment adjusts at once, providing a high-resolution indicator of urban atmospheric conditions.” The findings showed that pollution levels can influence not only the chemical composition of the atmosphere but also its electrical properties. Researchers said the results strengthened the case for using atmospheric electricity as an additional tool for environmental monitoring, particularly in densely populated urban areas where anthropogenic, or human-caused, influences are most pronounced. The study also pointed to potential public health applications. By combining air-quality measurements with observations of atmospheric electricity, researchers said they could gain a more complete picture of how urban atmospheric conditions change over time. “Integrating air-quality data with electric-field measurements gives us a clearer picture of how the lower atmosphere evolves moment by moment,” the researchers added. “It’s a framework that can support both scientific insight and practical environmental decision-making.” Beyond the scientific findings, the project highlighted a collaboration between universities, public institutions and secondary education. Researchers said the work demonstrated how students could take part in real-world environmental research while contributing to studies of air quality, atmospheric processes and their potential effects on society. Source: Hebrew University, ScienceDirect This article was generated with some help from AI and reviewed by an editor. Under Section 107 of the Copyright Act 1976, this material is used for the purpose of news reporting. Fair use is a use permitted by copyright statute that might otherwise be infringing
    • Microsoft confirms Windows 11 26H2, urges IT admins to prepare for release

      By +TRS-80 · Posted

      We aren't even at the all-star game and Microsoft is talking about an update that will most likely be released during the World Series if not after. A lot can happen in the world between now and the 2026 World Series, including the 2026 FIFA Cup. Tell me about it again after the FIFA Cup is concluded. That should allow plenty of time to prepare for it.
    • Microsoft: Windows 11 could finally solve a major issue across AMD, Nvidia, and Intel GPUs

      By Jdoe25 · Posted

      Great, tell me when I have a "Bad Pool Caller" elsewhere not in Windoze.

  • Recent Achievements

    • Week One Done
      AMV earned a badge
      Week One Done
    • One Month Later
      AMV earned a badge
      One Month Later
    • Collaborator
      ryansurfer98 went up a rank
      Collaborator
    • One Month Later
      Eurosoft10 earned a badge
      One Month Later
    • Week One Done
      Eurosoft10 earned a badge
      Week One Done

  • Popular Contributors

    1. 1
      +primortal
      542
    2. 2
      +Edouard
      186
    3. 3
      Michael Scrip
      77
    4. 4
      PsYcHoKiLLa
      77
    5. 5
      Steven P.
      71
    Show More

  • Tell a friend

    Love Neowin? Tell a friend!