I am looking to take the built-in administrator and deny the account the ability to change the IP Settings and continue to allow the Domain Accounts with admin rights to the computer to continue to change the IP settings.Is there a way to do this in the registry or in Group Policy without denying the built-in admin local login ability altogether?This is for a lab expiriment

Hi, Thank you for your post. For built-in administrator, I would like to share the following with you: SID: S-1-5-domain-500 Name: Administrator Description: A user account for the system administrator. By default, it is the only user account that is given full control over the system. (From Well-known security identifiers in Windows operating systems) Regarding this, we can see administrator has full-control on the system. Therefore, based on my knowledge, we could not modify the permissions on this account. At this time, I just want to know if what the exact issue you meet is. I suspect that some of your users can enter the system with built-in administrator account and changed the IP Settings; and you would not like them to do this. Please let me know if it is this case. Thanks. Hope this helps. Nicholas Li TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfd @ microsoft.com. Nicholas Li - MSFT

At this time, I just want to know if what the exact issue you meet is. I suspect that some of your users can enter the system with built-in administrator account and changed the IP Settings; and you would not like them to do this. Please let me know if it is this case. Thanks. Hope this helps. Nicholas Li TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfd @ microsoft.com. Nicholas Li - MSFT That is indeed the case Nicholas, I figure that making them power users on the computer with another account and changing the password to built-in admin or disabling it altogether is the answer, but I was trying to see if there was a way around this.

Hi, Thank you for writing back. With regard to the local administrator account, just as the information I shared, it has full control on the system; since the users have local administrator account on their own, as I know, we could not limit the privileges and permissions of this account technically. I also agree your opinion of getting the local administrator account back and giving another account which have specific limits to the users. This can be a possible solution. Thanks. Nicholas Li TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb @ microsoft.com.Nicholas Li - MSFT

Hello, How are you doing? I am just checking to see how things are going there. If you would like further assistance, please do not hesitate to let me know. It is my pleasure to help. :) Thanks, and have a great day! Nicholas Li TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfd@microsoft.com.Nicholas Li - MSFT