Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: UAC Admin Account Control


25 Jan 2011   #1

Win7 64 pro
 
 
UAC Admin Account Control

Afternoon all,

Looking to see if anyone has any information about local admin control while on a domain.

Basically we'd like to give our laptop users the ability to use UAC with a local administrative account, but we want to ensure that users (or anyone for that matter) do not have the ability to log into that local admin account.

Basically an Admin account with all the permissions it needs to uplift the standard user's permissions, that has no profile to log into.

We've come into situations where we've been giving a local admin account to travelers with their laptops, only to find on their return that they've created their own local admin accounts (with their temporary travel account) to circumvent UAC when they are back in the office. Which of course is completely unacceptable.

Is it possible to create the local account, log into it, then log off, log into another Admin account, and give the new local account "no permissions" to any of its user folders? What are the side effects of doing that?

My System SpecsSystem Spec
.

25 Jan 2011   #2

Microsoft Windows 8.1 Pro 64-bit
 
 

Not entirely sure what you're after, but I would suggest using a simple standard account and giving them the permissions they need to use what programs you allow them to use. Also, you can lower the UAC settings to prompt less often or not at all (As they wont be administrative, they wont be able to get around the UAC).
My System SpecsSystem Spec
25 Jan 2011   #3

Win7 64 pro
 
 

What Im after is to not allow any of our employees to have Admin rights on their office computers. We have a fully staffed IT department to handle administrative requests, like most companies. However, its not feasible to let an employee walk out the door with a work laptop that doesn't have administrative rights while they're on extended travel, since IT will not be available.

Our solution in the past with XP was to create a local admin account for laptops and let the users administer themselves while they were away from the office. However, what we've been noticing is that users are abusing that privilage, and creating their own local accounts with admin rights and using that as their main log in, thus circumventing any security protocols that our GPO is pushing to their domain account.

Now that we're converting over to Windows 7, we'd like to be able to have the freedom of giving the user UAC rights while they are away (a local admin account to verify off of), without giving them the keys to the kingdom (a local admin account to log into). It seems to make sense that an account could be created and locked to all functions except UAC handling. At least logically it does... Or is this the million dollar idea that MS hasn't thought of yet?
My System SpecsSystem Spec
.


25 Jan 2011   #4

Microsoft Windows 8.1 Pro 64-bit
 
 

Is there something wrong with my suggestion earlier? I would still recommend it now: giving them limited accounts and going through and upgrading their permissions for items that you would allow. Users were never meant to have administrative access, microsoft has always geared towards them having limited accounts. That way they are in no position to change things you don't want changed. However, in a large company, to do this for every individual computer may take a while, and I am not sure if there is a Group Policy setting that can handle this all at once. You might wait for another respose or look it up in a search yourself. I can help you search a little later, but You'd have to give me a few hours
My System SpecsSystem Spec
25 Jan 2011   #5

Win7 64 pro
 
 

DustSailor,

Appreciate your response. Weve gone through our GPO with a fine toothed comb and have eliminated the majority of the UAC nags from our standard domain user accounts. That really isn't an issue for us. The problem is that there are still features that pop up with UAC control which we want keep, that way the user knows to call IT if they need to make a change they're not normally allowed to do. But there doesn't seem to be a work around for this when the user is away from the office (MS mentions this on the UAC tech doc). If they are on a 3 month research excursion in the middle of Alaska without a way to call HQ and their computer has issues, they either have to fedex us the laptop, or suck it up till they come home. We want a way to give administrative rights for UAC on a temp basis without giving the user the ability to actually log into that account.

Maybe I'm not explaining what were trying to accomplish very well. Have searched quite a bit on this in the past and keep running up empty.

Basically we run a draconian lock down while users are on their domain account. But we can't be that hardcore when a user is out of the office on a laptop for extended periods of time. We dont want to give up security for an easy button. Allowing UAC to verify off a local account, and not allowing that local account to be 'loggable' seems like a happy median. This way we can disable the local account while its on the network and enable it again when they disconnect (I already know how to do this).
My System SpecsSystem Spec
25 Jan 2011   #6

Microsoft Windows 8.1 Pro 64-bit
 
 

Quote   Quote: Originally Posted by shadowmind View Post
... user knows to call IT if they need to make a change they're not normally allowed to do. But there doesn't seem to be a work around for this when the user is away from the office (MS mentions this on the UAC tech doc). If they are on a 3 month research excursion in the middle of Alaska without a way to call HQ and their computer has issues, they either have to fedex us the laptop, or suck it up till they come home. We want a way to give administrative rights for UAC on a temp basis without giving the user the ability to actually log into that account.

...

Basically we run a draconian lock down while users are on their domain account. But we can't be that hardcore when a user is out of the office on a laptop for extended periods of time. We dont want to give up security for an easy button. ...
Ah, this I do understand, and I can see your difficulty. UAC is very good at keeping people from doing things a company might not like being done, so it is not an easy choice in disabling it.

Quote   Quote: Originally Posted by shadowmind View Post
Allowing UAC to verify off a local account, and not allowing that local account to be 'loggable' seems like a happy median. This way we can disable the local account while its on the network and enable it again when they disconnect (I already know how to do this).

If they were to create their own administrative account while away (local), and upon its reconnection at the office, local is disabled, how is it that they can suddenly gain a workaround from the UAC through their newly created account? From a local administrator, is it possible to disable UAC and then have that carry over to the networked account? I guess I don't understand why they would need to create a new administrative account if they already are given their own local admin account when they travel. But I believe you when you say it is what they use to skirt the UAC. Because you said you disable UAC from admin accounts (or it is rendered useless as they know the password) locally, right?

I'll come right off the bat in telling you I myself know of no such program as you requested in your first post, and am limited in what I can offer as a solution. You may very well have an unaddressed issue that is so rare microsoft has no need to address it (as most companies are not as generous to their employees as yours).

It could cost some more money, but you could force employees to save any work they wish to carry with them on thumb drives and have separate "travelers" computers on the ready.

You could request to send out a memo that employees are not allowed to create new accounts on work computers and force them to talk to the "boss" if found out, provided you have or request the power to do so. I know if I was threated to be fired over something like this I wouldn't do it.

I believe there is a built in full rights local administrative account in windows 7 that is disabled through default (So essentially windows creates 2 admin accounts upon installation). You could enable it and set its password common to all work computers (so there isn't a long list of saved passwords per computer), and create another local administrative account for the traveling employee (or use the default one created with windows). When you need to, you can disable and enable their provided local administrative account with your built in one, and remove any that they've potentially created, but all of this would have to be done manually before they left and after their return, and is very time consuming. It would help if you had some paper with specific directions on how to do this, so that could speed up this process some. This process would prevent users from even seeing their admin account on the welcome screen and prevent them from logging in at all locally. But once again this is prehistoric, but I think I'm out of ideas.

My System SpecsSystem Spec
25 Jan 2011   #7

Microsoft Windows 8.1 Pro 64-bit
 
 

Quote   Quote: Originally Posted by shadowmind View Post
We want a way to give administrative rights for UAC on a temp basis without giving the user the ability to actually log into that account.
ALTHOUGH, I don't think I know what this means. How can one not log into an account but gain UAC administrative rights? lol but again, I will not be very useful help, as my knowledge here is very limited
My System SpecsSystem Spec
Reply

 UAC Admin Account Control




Thread Tools




Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 09:17 PM.
Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App
  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33