I have an issue, where I want to prevent domain users with administrative rights from modifying the password of the local administrator account on their respective computers. Any way of implementing this?

2 Years
Discussion Span
Last Post by sam07

I think this is nearly impossible. I had an IT staffer that wanted to do this and told them it wasn't possible today. Why? Tools like NTPASSWD make resetting the local admin a snap. Yes it got a little harder with the new BIOS (EFI) but not a big hurdle.

All this has us recalling what a PC is. It's a personal computer and not a terminal. If you need to get absolute control you may have to look at thin clients and such.

Votes + Comments
Thanks for the info

Hi there, you may try this, You can remove the domain users from local administrator group. To do so, use this
[Computer Configuration\Windows Settings\Security Settings\Restricted Groups]
and you can visit this for more info. . .technet.microsoft.com/en-us/library/cc785631(WS.10).aspx

Votes + Comments
Check the question again. This won't stop local password changes.
This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.