Local administrator as default choice when in domain

windows active-directory

Some of our users do some basic management of their Windows computers.
Their accounts are regular users, and they have a local administrator to perform whatever their like: install some crapware, destroy printer settings, allow viruses to take solid ground, etc (I heard some of them act responsibly, but I think this is a local urban legend).
 

Case 1

  • a Windows computer in a workgroup
  • only one local administrator, named "local_admin"

When a regular user needs to enter an admin credential, the popup is filled with "local_admin" and the user just has to enter the password.

➞ perfect
 

Case 2

  • a Windows computer in a workgroup
  • one local administrator named "local_admin 1"
  • one local administrator named "local_admin 2"

When a regular user needs to enter an admin credential, the popup is empty and the user has to enter the "local_admin x" and the password.

➞ how can we pre-fill with "local_admin 1" ?  

Case 3 (the one wich we have)

  • a Windows computer in a domain named "company_domain"
  • the computer's name is "local_name"
  • only one local administrator, named "local_admin" (but I think this is exactly the same thing if their are several)

When a regular user needs to enter an admin credential, the popup is empty BUT the domain is pre-filled with "company_domain". So the user has to enter the user "local_name\local_admin" and the password, which is not convenient because they have to remember/note it most of the time along with the password on a Post-it.

➞ how to pre-fill the local computer's name in place of the domain name, or pre-fill the complete local admin name "local_name\local_admin" ?

We currently create one Active Directory admin_name for each of those users, then configure their computer to put this admin_name into the local admin group (we could alternatively do it from Active Directory).
This method is prone to errors, then leads to problematic admins privileges leaks.


Solution 1:

I think this will answer Case 3 for you.

Run the local group policy editor as Administrator on the user's computer. In Group Policy go to Local Computer Policy\Computer Configuration\Admin templates\Windows Components\Credential User interface.

Right Click "Enumerate administrator accounts on elevation", click "Edit". The configuration window opens. Choose "Enabled" for this setting. "If you enable this policy setting, all local administrator accounts on the PC will be displayed so the user can choose one and enter the correct password." Choose "Enabled", click "OK" then exit local Group Policy editor.

Whats nice is the prompt will remember the last authenticated local admin account. So the user will only need to put in their local admin password at the next UAC prompt. The local administrators are listed in alphabetical order (tested on Windows 8.1 pro).

Solution 2:

This is the exact scenario Microsoft designed User Account Control for. Just make their personal account a local admin. They get a UAC prompt and click Yes. No typing required. http://windows.microsoft.com/en-us/windows/what-is-user-account-control#1TC=windows-7

Related

Ansible become_user not picking up path correctly
Nginx status information of virtual hosts
Windows Server 2012 R2 and TCP slow start and Hyper-v hosts
How can I prevent spoofed emails from outside thats using my internal accepted domain
Determine target of NTFS reparse point
Add haproxy X-Forwarded-Host request header
NFS4 - Mounting multiple subdirs
TCP Messages Merged?
Using PGPASSWORD variable does not seem to work any more on Postgresql 9.3
HP MSA 2040 for SVOD service
Which key failed in Python KeyError?
Does GZIP Compression Level Have Any Impact On Decompression