JSI Tip 0546 - How do I keep junior administrators from logging on to the PDC locally?

In tip 119, we prevented junior administrators from editing the registry. There is no way to remove the Logon locally user right from the administrators group. You can prevent them from logging on locally by using NFTS permissions on the files listed at:

HKEY_LOCAL_MACHINE\HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Userinit

For each of these files (in %SystemRoot%\System32), grant the specific UserName (not a group) No Access. Make sure that at least one Admin Account can logon locally. The easiest way is to run a batch ( JSIjr "Username"):

cacls %SystemRoot%\System32\nddagnt.exe /E /D "%1"
cacls %SystemRoot%\System32\userinit.exe /E /D "%1"
cacls %SystemRoot%\System32\win.com /E /D "%1"
cacls %SystemRoot%\System32\wowexec.exe /E /D "%1"
exit

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish