Logged in user deletes localadmin or takes admin rights from localadmin.

asd_alozano
New Contributor

Hi.. Just putting it out there in case anyone has any thoughts about this.

Our students login as AD users, then makes themselves admin using the Self Service Portal.

Once in a while a student goes and deletes the localadmin user, or makes the localadmin a standard user, or deletes other users.

Is there a way to prevent them from doing this?

Thanks for the suggestions.

6 REPLIES 6

AVmcclint
Honored Contributor

Threaten them with expulsion if they do it again. :-)

Ludeth
New Contributor II

Since you are making them admins, not really any way to stop them. I agree with @AVmcclint on this one. Don't try to solve a HR/Administrative issue with technical tools. Recognize when they are separate and act accordingly. Im not saying don't put reasonable security and controls in place etc, but in this case maybe work with your administration to come up with a good punishment if a student knowingly violates your User/Use policy.

Nix4Life
Valued Contributor

It sounds like you need a configuration management tool(puppet/ansible/chef/salt or osquery w/zentral).
@AVmcclint is correct about creating a workplace policy but it all comes down to
"Our students login as AD users, then makes themselves admin using the Self Service Portal"
as long as they have admin rights, you will be in a continual loop of trying to solve related issues. lastly, if they are smart enough to do that, they are smart enough to look at sites like this to see what you are thinking about doing and find a workaround.

joshuasee
Contributor III

The above advice is good, but if you do want to obfuscate things a bit, block access to the Users & Groups preference pane with a config profile when you promote them, the unblock it afterwards. They can change their own password in the Security prefpane. Also, set up a daily policy to create localadmin on any relevant computers that don't have it.

mm2270
Legendary Contributor III

It's certainly true that once any user has admin rights, your ability to restrict or control what they can do lessens a LOT, and it ends up becoming a mostly losing battle to control that. However, have you looked at things like MakeMeAdmin from Jamf? I implemented that for someone I've been assisting, and it works very nicely. In addition to giving them a limited amount of time to be an admin, it has a companion EA that will track the system's compliancy state. Meaning, if they make undesired modifications, like removing your local admin account, or creating additional admin accounts for themselves, it will report on this and can even take an action of removing those rogue admin accounts created by the user once it flips them back to standard accounts. I forgot now, but it may also be able to get your hidden local admin account back on the machine. Even if it doesn't it's not hard to set up a recurring policy to ensure that account stays on there.

Again, like stated above by everyone else, there is NO actual technical solution to this since admin means they can do many things to the machine, but you can at least take some measures to report on when someone is going outside of the accepted use policy. And once you have accurate reporting on this, you can take this data to your administration so they can take over with any disciplinary actions, if needed.

tnielsen
Valued Contributor

Beat them with a thin stick.