none
Restricting Local Administrators from changing UAC settings

    Question

  • Hi,

    I am a Junior Administrator at my company. At my company, we have a number of developers that are local administrators on their machines. Our developers have the ability to change the UAC settings on their machines, and that compromises our security. 

    I have been researching how to restrict UAC settings via Group Policy, but everything I have read only works on users that do not have local administrator privileges. 

    My question is: Is there a way to lock down UAC settings for local administrators? If so, how can I do this?

    Friday, June 19, 2015 5:16 PM

Answers

  • No - the very fact that they are local administrators mean they can bypass any Group Policy setting you configure.


    If my answer helped you, check out my blog: Deploy Happiness

    Friday, June 19, 2015 5:42 PM
  • > So you are saying there is no way to restrict local admins from changing
    > UAC settings at all?
     
    To clarify: There is no way to restrict local admins from ANYTHING... If
    you need to restrict them, don't make them admins.
     

    Greetings/Grüße, Martin

    Mal ein gutes Buch über GPOs lesen?
    Good or bad GPOs? - my blog…
    And if IT bothers me - coke bottle design refreshment (-:
    Monday, June 22, 2015 11:30 AM
  • After a lot of testing, I figured out that there is a way to do this. You can add a computer based policy for restricting UAC, so that after a local admin changes their UAC level, they are prompted to restart their computer. Once restarted, the UAC level goes back to what the group policy specifies.

    Nick Townsend Infrastructure Technician

    • Marked as answer by ntownx5 Thursday, June 25, 2015 12:39 PM
    Thursday, June 25, 2015 12:39 PM

All replies

  • No - the very fact that they are local administrators mean they can bypass any Group Policy setting you configure.


    If my answer helped you, check out my blog: Deploy Happiness

    Friday, June 19, 2015 5:42 PM
  • So you are saying there is no way to restrict local admins from changing UAC settings at all? 
    Friday, June 19, 2015 6:08 PM
  • > So you are saying there is no way to restrict local admins from changing
    > UAC settings at all?
     
    To clarify: There is no way to restrict local admins from ANYTHING... If
    you need to restrict them, don't make them admins.
     

    Greetings/Grüße, Martin

    Mal ein gutes Buch über GPOs lesen?
    Good or bad GPOs? - my blog…
    And if IT bothers me - coke bottle design refreshment (-:
    Monday, June 22, 2015 11:30 AM
  • After a lot of testing, I figured out that there is a way to do this. You can add a computer based policy for restricting UAC, so that after a local admin changes their UAC level, they are prompted to restart their computer. Once restarted, the UAC level goes back to what the group policy specifies.

    Nick Townsend Infrastructure Technician

    • Marked as answer by ntownx5 Thursday, June 25, 2015 12:39 PM
    Thursday, June 25, 2015 12:39 PM
  • > After a lot of testing, I figured out that there is a way to do this.
     
    Not really - it's just making things harder for the less experienced ones :)
     
    > You can add a computer based policy for restricting UAC, so that after a
    > local admin changes their UAC level, they are prompted to restart their
    > computer. Once restarted, the UAC level goes back to what the group
    > policy specifies.
     
    As I am the evil admin, I run regedit and deny system full access to the
    related registry key
    (HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies).
    Done I am, UAC will stay where I want it to stay. And as a side effect,
    all Administrative Templates will remain like I want and not like Domain
    GPO wants.
     
    Let me repeat one more time: You cannot restrict administrators.
    Whatever you do in trying so can be easily (or not sooo easily) be
    circumvented. That said...
     

    Greetings/Grüße, Martin

    Mal ein gutes Buch über GPOs lesen?
    Good or bad GPOs? - my blog…
    And if IT bothers me - coke bottle design refreshment (-:
    Thursday, June 25, 2015 12:45 PM