We have a vendor that when they have an issue with our IIS server, they reset their IIS application pool and use their login account instead of the dedicated service account, without telling us. This causes havoc since we reset passwords every 90 days.
Is there a way to prevent a user account with local admin privileges from being able to start an application pool?