Limiting Applications Permissions for Local Administrators

Question

Hi,

We (unfortunately) have a requirement for all users to be Local Administrator of their own workstations. We have just been notified of a new requirement to limit access/permissions to a set of installed applications/agents on the system. As such, the user (although a local admin), should not have permissions to delete, execute, modify, etc. specific executables and processes of those executables. The devices are managed by Intune.

Is it possible to do this without 3rd party software? I was not able to find AppLocker configurations on Intune that would allow me to do this. Would it be possible to modify the NTFS permissions of the folders containing the executables? Would this do the job in also preventing the user from stopping processes? Could it break the application in a major way?

Thank you

Answer 1

You can't limit the permissions for (local) admin's and even if, a admin has the permissions to change it back.

Create a domain group with the required permissions and assign the users to.

Answer 2

Applocker is totally useless if you would have local admin accounts. LAPS which is now also in AzureAD would be one solution with temporary account. Once password is used, it will be renewed, so it could be as a temporary solution.