we have some developers with local administrator privileges only on their own devices with a dedicated administrative account (username_locadm).
We would like to block these accounts when they try to add other user accounts in the local groups (e.g. local administrators group or power users group) using any means like command prompt or scripts.
Is it something possible ?
Thanks for your help !
Hi @Buijspa ,
We don't have any available script to block administrators from creating other administrator users.
You may create a service request to check with support for any suggestions. Usually scripting is done by a team called Professional Services.
thanks for your quick reply.
I tough that expert rules are able to block some commands like « net localgroup*administrators*add », even if the user is administrator.
Am I wrong ?
We can disable the GUI (mmc snap-in) via GPO.
But do you think we are able to block a script (vbscript, PoSh, .. commands) to add a user account in a local group?
Thanks for your help.