Announcement

Collapse
No announcement yet.

Users as Local Admins: Your policies

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Users as Local Admins: Your policies

    We are in the process of removing local admin privs from our users (Finally!!!).

    As I work through the problems caused by removing admin privs I wonder where other IT people stand on this issue.

    What is your policy (personal or corporate) on users being local admins?

    Is there ever a reason to allow local admin privs?


    We've had a heck of a time working through the problems this has brought up but we've found solutions for all of them so far and most of the time we can push the solution down through a GPO.

    Thanks for your thoughts!
    CCA: XenApp 5.0

  • #2
    Re: Users as Local Admins: Your policies

    Originally posted by bill_sffcu View Post
    Is there ever a reason to allow local admin privs?
    Not unless there is any application that requires it. Even then I'd try to contact the application vendor to see if there is any registry or directory permission changes. Or try Filemon and Regmon from sysinternals to see what is required in terms of permission changes.

    Ta
    Caesar's cipher - 3

    ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

    SFX JNRS FC U6 MNGR

    Comment


    • #3
      Re: Users as Local Admins: Your policies

      I think the only reason we have kept a very small amount of users on local admin was due to errors with Sage Accounting. They may well have a work around for this now. Really need to check

      Comment


      • #4
        Re: Users as Local Admins: Your policies

        All of our users are local admins. This is despite the IT department's unease at having everyone a local admin.

        To my knowledge, there is no program we use which requires that the user be a local admin. However, they are given these privileges because we cannot manage 750 machines/users with only 4 members of IT that provide support (including the IT Manager, Network Administrator, Support Specialist..and the Intern who will soon be leaving).

        Eventually, by implementing WSUS, a single domain, group policy and better network infrastructure, we will be moving users over to regular accounts (no power users). I dream of the day where we don't get tons of laptops in for reload because they are virus-laden.
        ~Kara
        'What we do not make conscious emerges later as fate.' Carl Jung

        Comment


        • #5
          Re: Users as Local Admins: Your policies

          We had issues with our imaging applications, and particularily Pagemaker which is only installed on one workstation.

          Aside from that I've had some problems with ActiveX controls that need to be installed from websites that our people need access too. Even adding the site to Trusted Sites and modifying the options to automatically install the ActiveX controls did not help. I had to temporarily add the user to the local admins group, log them in and get the ActiveX control installed, then remove them from the local admins group. We've had to use this workaround for a number of things.

          Now if I could just convince management to block all internet access...
          CCA: XenApp 5.0

          Comment


          • #6
            Re: Users as Local Admins: Your policies

            Originally posted by simonsays View Post
            I think the only reason we have kept a very small amount of users on local admin was due to errors with Sage Accounting. They may well have a work around for this now. Really need to check
            We use Sage and accounts are not local administrators. I just make sure the accounts group had full modify permssion on the relevant program folders. This includes some in the user profile itself.

            Comment


            • #7
              Re: Users as Local Admins: Your policies

              It's really only badly written/documented programs that cause issues. We have a customer that has this problem, and we've now configured WDS for them so that as each user gets a new PC it is standard and they have no extra rights. The only exception is for the PC in each office that runs a business critical app, as the support on the app is pish and they can't or won't tell us the rights required to make it work for a standard user.

              All apps the users need are in the image and they must present a legitimate business reason for anything else, which will be installed by an admin if it is approved. None have so far, but listening to "business reasons" why people need Live Messenger and such things is always entertaining.
              BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
              sigpic
              Cruachan's Blog

              Comment


              • #8
                Re: Users as Local Admins: Your policies

                What about remoteapps for business critical applications?
                It might be worth to consider...
                Marcel
                Technical Consultant
                Netherlands
                http://www.phetios.com
                http://blog.nessus.nl

                MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
                "No matter how secure, there is always the human factor."

                "Enjoy life today, tomorrow may never come."
                "If you're going through hell, keep going. ~Winston Churchill"

                Comment

                Working...
                X