I have a fully managed environment (AD authentication, using managed preferences from OD) that I am testing before rollout.
My concern is that once this is rolled out, admin users will be able to create local admin accounts (I can’t block the accounts pane otherwise users will not be able to change their passwords), then login and bypass preference management.
Is there a way for local admin accounts logging on to inherit a default set of preferences that are only applied when a local account (or someone not in one of my directory groups) logs in, or better still – DENY local admins from logging in altogether (except root), or deny anyone from being able to create new local accounts?
(Please don’t suggest denying the users admin rights – it’s not possible for political reasons).
Many thanks in advance!
FZ.