A. For the purposes of my answer, you can replace BitLocker with pretty much anything you can set with Group Policy (or any other setting). If you make users local administrators, they're effectively gods of their boxes. It's pretty much impossible to stop them from doing anything. Yes, you can hide Control Panel applets, but users can just try another method, such as PowerShell in BitLocker's case.
If you don't trust users not to cause self harm, they shouldn't be local administrators—it's really that simple. Trying to stop local admins from doing something is ultimately futile if they're determined enough.
0 comments
Hide comments