Privilege Escalation Issue
I'm looking for some guidance on the best way to handle this issue. Here's the scenario:
We're currently running Windows XP Pro and almost everybody has their domain account set as a local administrator. Obviously this is not the best way to run things, and we want to avoid this as we roll out Windows 7 Enterprise edition. We've
issued two laptops to users with Windows 7 as testers. Our current domain environment is Windows Server 2003 R2, however in the near future we're building a new domain on Windows Server 2008 R2.
As we roll out Windows 7 we want the user to be set as a standard user. We have set up a local administrator account for the users to escalate their privilege when needed. However, we want to prevent the user from logging in as that local administrator
and escalating their domain user account to a local administrator status.
We've tried adding the local administrator to the deny logon locally security policy to prevent users from logging in as that local user and elevating their domain account. However, when they try and use that account to elevate their privilege
it comes back as being denied. To verify that the addition of the account to the Deny Logon Locally security setting was the culprit, we removed it from that group and tried the privilege escalation again and it worked.
Does anybody have any ideas on how to accomplish this?
Thanks,
Adam
February 11th, 2011 4:05pm
You need to have those accounts as standard users to keep them out of the adminMy MVP is for Windows XP, Vista and Windows 7 IT, and I am getting increasingly good with Visual Studio.
Developer |
Windows IT | Chess |
Economics | Hardcore Games |
Vegan Advocate | PC Reviews
Free Windows Admin Tool Kit Click here and download it now
February 13th, 2011 10:23pm