I have an issue, where I want to prevent domain users with administrative rights from modifying the password of the local administrator account on their respective computers. Any way of implementing this?
I think this is nearly impossible. I had an IT staffer that wanted to do this and told them it wasn't possible today. Why? Tools like NTPASSWD make resetting the local admin a snap. Yes it got a little harder with the new BIOS (EFI) but not a big hurdle.
All this has us recalling what a PC is. It's a personal computer and not a terminal. If you need to get absolute control you may have to look at thin clients and such.
Hi there, you may try this, You can remove the domain users from local administrator group. To do so, use this
[Computer Configuration\Windows Settings\Security Settings\Restricted Groups]
and you can visit this for more info. . .technet.microsoft.com/en-us/library/cc785631(WS.10).aspx