Deny desktop admin rights to Domain Admins?

I would like to prevent our domain admin users from having any admin privileges on their own desktops.

This is in order to prevent IE and other apps running with admin privileges on their desktops.

If anyone does admin work, I want it to be using a different, privileged account, using RUNAS or a remote desktop connection of some kind (or the local admin user, from the console.)

Is there a way to deny domain admin users this specific privilege?

 

What problem are you trying to fix - other than having way too many domain admins?

 

I would like to prevent our domain admin users from having any admin privileges on their own desktops.

In the NT world, you cannot *prevent* a domain admin from doing adminy things to a machine joined to a domain. You can put in a bunch of speed bumps, but you arent going to prevent them if they are motivated.

I have two suggestions, create twin accounts for admins, Joe and JoeAdmin. Setup a bunch of runas shortcuts for MMC and such, as you said. This is the more common way of doing it.

Take domain admins out of the local administrators group on thier desktops. (noting they could put it right back in after you leave).

 

What I am looking for is for the policy to say, "this user is normally a full admin, but on this workstation (or set of workstations) he is just an unprivileged user ".

I realize an admin can change this back. The purpose of the change is to permit our domain admins in their daily work to browse the internet, run Outlook etc without the concern that spyware, malicious emails etc will install/run with admin privileges.

My preferred solution to this, longer term, is to simply create a second domain with the same scope as our existing one, but containing only our admin users, then remove admin privs from users in the first domain. Admin "Joe" would then have accounts in both domains. He'd do his normal work as \\DOMAIN1\Joe, but for admin work would do RUNAS etc etc as \\DOMAIN2\Joe.

What I am looking for is an interim (and admittedly voluntary) fix until this can be done.

Thanks, and sorry for the lack of clarity/context in my original post.

 

I'm with Joe the only real way to do this is to have two accounts for your admins. One they use for their everyday work and one with domain admin rights for when working on the servers or where ever they need those rights.

We use First Initial Last Name for all of our accounts, and then the accounts for domain admin access also include our middle initial.