Jamf Nation Community

Since you are making them admins, not really any way to stop them. I agree with @AVmcclint on this one. Don't try to solve a HR/Administrative issue with technical tools. Recognize when they are separate and act accordingly. Im not saying don't put reasonable security and controls in place etc, but in this case maybe work with your administration to come up with a good punishment if a student knowingly violates your User/Use policy.

It sounds like you need a configuration management tool(puppet/ansible/chef/salt or osquery w/zentral).
@AVmcclint is correct about creating a workplace policy but it all comes down to
"Our students login as AD users, then makes themselves admin using the Self Service Portal"
as long as they have admin rights, you will be in a continual loop of trying to solve related issues. lastly, if they are smart enough to do that, they are smart enough to look at sites like this to see what you are thinking about doing and find a workaround.

The above advice is good, but if you do want to obfuscate things a bit, block access to the Users & Groups preference pane with a config profile when you promote them, the unblock it afterwards. They can change their own password in the Security prefpane. Also, set up a daily policy to create localadmin on any relevant computers that don't have it.

It's certainly true that once any user has admin rights, your ability to restrict or control what they can do lessens a LOT, and it ends up becoming a mostly losing battle to control that. However, have you looked at things like MakeMeAdmin from Jamf? I implemented that for someone I've been assisting, and it works very nicely. In addition to giving them a limited amount of time to be an admin, it has a companion EA that will track the system's compliancy state. Meaning, if they make undesired modifications, like removing your local admin account, or creating additional admin accounts for themselves, it will report on this and can even take an action of removing those rogue admin accounts created by the user once it flips them back to standard accounts. I forgot now, but it may also be able to get your hidden local admin account back on the machine. Even if it doesn't it's not hard to set up a recurring policy to ensure that account stays on there.

Again, like stated above by everyone else, there is NO actual technical solution to this since admin means they can do many things to the machine, but you can at least take some measures to report on when someone is going outside of the accepted use policy. And once you have accurate reporting on this, you can take this data to your administration so they can take over with any disciplinary actions, if needed.

Beat them with a thin stick.