How to stop local administrators from bypassing Group Policy

image_thumb.pngBefore I begin this article might be, for some of you, this will be well know information and it might all seem rather logical. But I continue to see questions being asked on forums as how as a Group Policy administrator can I prevent my users with local admin making a specific change or installing software/drivers on their own computer.

The short answer is you CANT!!!!

You need to think of local administrator are “gods” of their own computers and as such they have the power to do anything on the computer, including overriding any group policies. So, if you knowingly grant local admins for a user to their computer simply assume that you have lost all control of that computer. So always be REALLY sure that the person you are granting local admin access to REALLY has to have that level of access.

Of course user might not always be tech savvy enough to work around GPO restrictions. But if they are not, I would really question why you are granting local admin access to that computer in the first place. However, if you at least start with that assumption that you have lost control of the computers that you have delegated local admin permission on, then you might take a second thought before actually delegating that access to begin with.

For a more detail explanation as to why this is the case then I recommend you read Mark Russinovich (very old but still relevant) blog post at . Put simply, a local admin can break group policy by surgically applying permissions to the registry keys of the GPO being applied so that even the SYSTEM account does not have permission to read or change those registry keys. For example if you try to apply permission to prevent users from installing software , or worse drives, then the local admin can override this setting and install software if they know what they are doing.

Also keep in mind that the same applies to the now deprecated Power Users group  (see ) as members of that group have the same effective access as local administrator.

Also importantly is to remember Law 3 of the 10 Immutable Laws of Security “If a bad guy has unrestricted physical access to your computer, it’s not your computer anymore.” which means that a stolen computer can also be easily compromised.

So, by now you might be thinking that all is lost… Security is too hard… we should all get new job. Well, not quiet…

Most of these problems can be mitigated if you just ensure users should only run as standard users level of access and that you have deployed BitLocker (or other full disk encryption software) to your computers. This is fairly common practice now and it does offer good level of confidence that your users, or someone malicious, cannot easily break in to your computers OS’s.

But of course there is no such thing as perfect security and just doing one or a few things is never enough. For example, malicious users or software can become local admin by taking advantage of local privilege escalation attacks or they can break BitLocker by launching DMA attacks via the Firewire port of your computers.

So when it comes to securing your computers in your environment Group Policy is NEVER then only answer. Instead it should be a part of a multi layered approach to securing your environment.

Author: Alan Burchill

Microsoft MVP (Group Policy)

11 thoughts on “How to stop local administrators from bypassing Group Policy

  1. Well….you are right but wrong.
    You can force GPO to reapply even if the policy has not changed.
    You can do this every refresh interval.

  2. Simply you may prefer to use “Restricted Groups” via GPO. That way you can kick off local admins from Administrators group. Of course don’t forgot to add some AD based Group to local membership via Restricted group.
    For me it’s more fullproof way.

  3. Scopex has powered by both the native and Zapier premium with seamless integration of third-party applications to manage your business on single platform

Leave a Reply