Skip navigation
Menu
Compute Engines

JSI Tip 0546 - How do I keep junior administrators from logging on to the PDC locally?

In tip 119, we prevented junior administrators from editing the registry. There is no way to remove the Logon locally user right from the administrators group. You can prevent them from logging on locally by using NFTS permissions on the files listed at:

HKEY_LOCAL_MACHINE\HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Userinit

For each of these files (in %SystemRoot%\System32), grant the specific UserName (not a group) No Access. Make sure that at least one Admin Account can logon locally. The easiest way is to run a batch ( JSIjr "Username"):

cacls %SystemRoot%\System32\nddagnt.exe /E /D "%1"
cacls %SystemRoot%\System32\userinit.exe /E /D "%1"
cacls %SystemRoot%\System32\win.com /E /D "%1"
cacls %SystemRoot%\System32\wowexec.exe /E /D "%1"
exit

Hide comments

More information about text formats

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish
Recommended Reading
empty cockpit of autonomous car
What Is a Real-Time Operating System, and Who Needs One?
Mar 05, 2024
ERP button on keyboard
5 ERP Trends to Watch in 2024
Jan 17, 2024
automation key on keyboard
Storage Management as a Case Study for Network Automation Adoption
Dec 21, 2023
Abstract technology concept lighting effect on dark blue background
Top 10 Stories About Compute Engines, Linux in 2023
Dec 18, 2023