Solved

Running users as local admin

Posted on 2004-08-17
20
248 Views
Last Modified: 2012-05-05
Here at work, we are running every user as a local admin on their PCs (we are on active directory, so they are just regular users).  We run them on local admins because if we didnt, a lot of their programs wouldnt run. (lot of state government software). Also, we had a problem with the office suite if we didnt.

Does anyone know how to remedy this?  Furthermore, they will not listen to me regarding implementing some GPOs. Now all the users are installing anything they want on the PCs. Making my life harder!!
0
Comment
Question by:dissolved
  • 5
  • 4
  • 3
  • +4
20 Comments
 
LVL 12

Expert Comment

by:Heem14
Comment Utility
You need to address this with company security policy - from Management down. This isn't going to be something you are going to be able to handle yourself. Depending on your industry you may be required to deal with certain regulations for network security - hipaa for example.

There should be no problem running office - or any other Microsoft product - with regular user rights. If there is, something is not setup right. I'd be interested in knowing what error messages you are getting. As for third party applications - some work and some don't. I would call the vendors and make sure that you are on the latest version, and be quite vocal about the software not functioning properly as a regular user - In MY opinion - if a software won't work as a regular user - IT DOESNT WORK AT ALL, and the programmers need a few lessons in software development and basic security principals.

So, the way I see it - you are not fighting a technical battle here - you are fighting a political one. Without support from higher up management - you are not going to get very far - scream until you are blue in the face. If that doesnt work, get your resume out there and find yourself another job - be very clear as to why you left the company in your exit interview.
0
 
LVL 25

Expert Comment

by:mikeleebrla
Comment Utility
The way to remedy this is to purchase software that is designed to run on windows 2000/XP with a user account.  There is no way around this by tweaking the OS,,, simply b/c if the 3rd party software was designed to run as local admin (which alot are for some reason) then they can't be run as local user, bottom line.  I run a network with 1000s of users and all of them have to be given local admin rights b/c are major software we use was written to only work with local admin rights.  So we have to lock down what users can do at the domain level with GPOs.  This has proven to work very well since you can lock them down pretty tight with properly designed/applied GPOs.
0
 
LVL 9

Expert Comment

by:jdeclue
Comment Utility
I am a contractor that primarily works with Federal agencies. Are you a state, local or federal? You answer lies in Group Policies and many things can be changed to let them run the software without being able to install software. Everything from CD burning software to custom apps can work with the proper group policy. I may be able to point you in the right direction regarding getting your GPO's implemented with permissions from the top.

J
0
 
LVL 8

Accepted Solution

by:
Jeff Rodgers earned 125 total points
Comment Utility
Create a new user account... configure it as local admin... install all of the apps & verify they work... roll the user back to power user status. Verify the programs still work.   Copy the user account to the default user account and give everyone the right to use it.

Backup each users information on the local system, and the delete their profiles.  Also remove the users from Local Admins.  Add the domain users group to the Local Power Users group instead.

When the users log in again their profiles will be recreated based upon the default user profile.  Power users should be able to run but not install most software.  Import the users data back into their new profile.

I have done a fair amount of consulting work with some larger government and utility companies here in Canada.  The bulk of your users will get by quite nicely with only Power User Status.  There are perhaps only a handful of applications where users will require Administrative access.

The primary advantage here is that users cannot install things they aren't supposed to.  The end result is it will save you the grief of removing all of the crap that causes problems.  Sometimes less rights are better.

And yes you should also introduce (with managements blessing, of course) an Acceptable Usage Policy(with teeth preferably... mine is a possible suspension if caught violating the policy), if you don't have one already.  That was my first job upon becoming MIT here... since then I have seen a noticeable drop in SPYWARE and Virus Activity... (that and hardening the Firewall, adding GPO's and reducing user rights assignments)

Good Luck

0
 
LVL 25

Expert Comment

by:mikeleebrla
Comment Utility
"Copy the user account to the default user account and give everyone the right to use it."  do you mean the default user profile here?
0
 

Expert Comment

by:kbergery
Comment Utility
Hi,
I'm in the Financial insdustry and we also had a third party software with the same requirements however, I gave admin rights in the registry for that software.

hk local machine ---->software----
On the menu bar Security----->permissions>>>

That should adress your concerns
0
 
LVL 8

Expert Comment

by:Jeff Rodgers
Comment Utility
Mikeleebrla ---> right... sorry bad choice of terminology.
0
 

Author Comment

by:dissolved
Comment Utility
Thanks guys. I work for the state. I tried telling them about implementing GPOs, they dont listen.  I am getting fed up with what is going on. We have no network topology monitors either. So I've found some roguee WAPs.

Their primary problem is that office 2000/2003 wants to be run as admin. Is this normal or are they telling me incorrectly?

Thanks
0
 
LVL 12

Expert Comment

by:Heem14
Comment Utility
That is NOT normal for office to not run as a regular user. We run it in a 1000 user envirornment and nobody has admin rights.
0
 

Author Comment

by:dissolved
Comment Utility
Jeff, so you are saying to:

1. Create local admin account and install all necessary programs
2. demote admin account to power user status and verify everything works
3. Copy the power user account , to the default user profile
4. delete all local users and profiles?
5. remove the users from Local Admins
6. Add the user's security group from AD, to the local power user group

Is that correct? Am I missing something?
Thanks
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 

Author Comment

by:dissolved
Comment Utility
Heem14, do you install the programs under the users account? Or a local admin account? Are you in a domain?

I figured it wasnt normal, just wanted to be sure..
Thanks
0
 
LVL 12

Expert Comment

by:Heem14
Comment Utility
We are in a domain. The applications have been installed either as the domain admin or a local admin - or installed give group policy - all 3 methods have caused no problems with office.
0
 
LVL 9

Expert Comment

by:jdeclue
Comment Utility
You may have an issue when Office wants to add components etc, and it need to install the additional components. When you first install Office you should do a Custom Install and be sure to install ALL components. In addition when you push or install Office Service Packs, always look for the Network Administration Version of the Service pack and install the whole thing. Do no use office update etc.

J
0
 
LVL 8

Expert Comment

by:Jeff Rodgers
Comment Utility
More or less yes that is correct...you don't delete the local user accounts on the PC though, only the domain user account profiles after you backup their data ( I would copy their profiles elsewhere, just to be sure!)

You would want those same Domain User Accounts removed from the Local Administrator Group.

And then add the Domain Users group to the Local Power Users group.

Most MS Office apps, want to be run one time as Administrator... it adjusts some files on first startup, after that though you shouldn't have any problems.



0
 
LVL 25

Expert Comment

by:mikeleebrla
Comment Utility
Copy the user account to the default user account and give everyone the right to use it."  do you mean the default user profile here?  

Mikeleebrla ---> right... sorry bad choice of terminology
 

this will do nothing for you,, b/c security rights come from active directory,  not from the "Default User" profile,, all you accomplish by copying the "Default User" profile is giving each new user (one that hasn't logged into that particular workstation) the same background, desktop settings, ect,  they will still have the exact same security rights as before.
0
 
LVL 8

Expert Comment

by:Jeff Rodgers
Comment Utility
Mikeleebrla--->Yes some security rights come from Active Directory, some also come from the local PC.  I can be a domain user and a local adminstrator and have minimal rights on the domain and full control over my PC.

Per the question..."we are running every user as a local admin on their PCs (we are on active directory, so they are just regular users).  "

As I mentioned in my first post, one of the first things I would do is peel back the local access rights of those users who are "regular users" in active directory, so that they are no longer in the Local Adminstrators group.

One of the issues raised in the question is the reason why these people have admin rights in the first place.  SO that they can install and run their software.  By creating a local default user profile with eveything configured including software, you take away their need to be local admins.

In terms of applying the Everyone permissions to the new default user profile, the person who creates a profile has ownership and full control over it, no one else does until you give it to them.  

Here let me provide you with a little reading ...
How to Create a Base user profile for All Users.
http://support.microsoft.com/default.aspx?scid=kb;en-us;168475&Product=winxp
How to Create a Custom Default User Profile
http://support.microsoft.com/default.aspx?scid=kb;en-us;319974&Product=winxp

There was a method to my madness... No really...
0
 
LVL 25

Expert Comment

by:mikeleebrla
Comment Utility
but NONE come from the default user profile
0
 
LVL 8

Expert Comment

by:Jeff Rodgers
Comment Utility
You are correct in regard to no rights coming from the default user profile ( you do however need to grant rights to use it though... see http://support.microsoft.com/default.aspx?scid=kb;en-us;168475&Product=winxp  for details).  However now that his users have already installed large amounts  of rubbish on their systems, it might be easier to clean house as it were.  Delete the largest portion of the junk which normally resides in the user profiles, uninstall the other stuff they have installed and have the users start fresh with a new preconfigured default user profile and diminished user rights ( I think I have mentioned the diminished user rights 3 or 4 times before ;) ) In my own world of  300+ users, I never give out admin rights in the first place. There is almost always a better option including having IT install software as the user.






0
 
LVL 9

Expert Comment

by:jdeclue
Comment Utility
Dissolved,

    Here is a link to someone with a similiar problem with Office. It does not discuss the Local Administrative Rights but, this issue would solve both for Office Users. His users were local admins and he had an issue with updates etc to Office, if his users were not Local Admins, they would have received permission issues. This resolves both problems, Office updates and installation and permissions.

http://www.experts-exchange.com/Operating_Systems/Q_21074165.html

J
0
 

Expert Comment

by:sosborne007
Comment Utility
Maybe automating a 'runas' script to change the registry keys or permissions will work for you.
I've used this in the past, but AD/GPO's are the way to go.  
Be careful exposing that username and password....
 
'Start of Script
'VBRUNAS.VBS
'v1.2 March 2001
'Jeffery Hicks
'jhicks@quilogy.com http://www.quilogy.com
'USAGE: cscript|wscript VBRUNAS.VBS Username Password Command
'DESC: A RUNAS replacement to take password at a command prompt.
'NOTES: This is meant to be used for local access. If you want to run a command
'across the network as another user, you must add the /NETONLY switch to the RUNAS
'command.

' *********************************************************************************
' * THIS PROGRAM IS OFFERED AS IS AND MAY BE FREELY MODIFIED OR ALTERED AS *
' * NECESSARY TO MEET YOUR NEEDS. THE AUTHOR MAKES NO GUARANTEES OR WARRANTIES, *
' * EXPRESS, IMPLIED OR OF ANY OTHER KIND TO THIS CODE OR ANY USER MODIFICATIONS. *
' * DO NOT USE IN A PRODUCTION ENVIRONMENT UNTIL YOU HAVE TESTED IN A SECURED LAB *
' * ENVIRONMENT. USE AT YOUR OWN RISK. *
' *********************************************************************************

On Error Resume Next
dim WshShell,oArgs,FSO

set oArgs=wscript.Arguments

if InStr(oArgs(0),"?")<>0 then
wscript.echo VBCRLF & "? HELP ?" & VBCRLF
Usage
end if

if oArgs.Count <3 then
wscript.echo VBCRLF & "! Usage Error !" & VBCRLF
Usage
end if

sUser=oArgs(0)
sPass=oArgs(1)&VBCRLF
sCmd=oArgs(2)

set WshShell = CreateObject("WScript.Shell")
set WshEnv = WshShell.Environment("Process")
WinPath = WshEnv("SystemRoot")&"\System32\runas.exe"
set FSO = CreateObject("Scripting.FileSystemObject")

if FSO.FileExists(winpath) then
'wscript.echo winpath & " " & "verified"
else
wscript.echo "!! ERROR !!" & VBCRLF & "Can't find or verify " & winpath &"." & VBCRLF & "You must be running Windows 2000 for this script to work."
set WshShell=Nothing
set WshEnv=Nothing
set oArgs=Nothing
set FSO=Nothing
wscript.quit
end if

rc=WshShell.Run("runas /user:" & sUser & " " & CHR(34) & sCmd & CHR(34), 2, FALSE)
Wscript.Sleep 30 'need to give time for window to open.
WshShell.AppActivate(WinPath) 'make sure we grab the right window to send password to
WshShell.SendKeys sPass 'send the password to the waiting window.

set WshShell=Nothing
set oArgs=Nothing
set WshEnv=Nothing
set FSO=Nothing

wscript.quit

'************************
'* Usage Subroutine *
'************************
Sub Usage()
On Error Resume Next
msg="Usage: cscript|wscript vbrunas.vbs Username Password Command" & VBCRLF & VBCRLF & "You should use the full path where necessary and put long file names or commands" & VBCRLF & "with parameters in quotes" & VBCRLF & VBCRLF &"For example:" & VBCRLF &" cscript vbrunas.vbs quilogyjhicks luckydog e:scriptsadmin.vbs" & VBCRLF & VBCRLF &" cscript vbrunas.vbs quilogyjhicks luckydog " & CHR(34) &"e:program filesscriptsadmin.vbs 1stParameter 2ndParameter" & CHR(34)& VBCRLF & VBCRLF & VBCLRF & "cscript vbrunas.vbs /?|-? will display this message."

wscript.echo msg

wscript.quit

end sub
'End of Script


0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Just about everyone has an old PC laying around.  Ask anyone in the IT industry, whether they are a professional or play in it as a hobby.  From outdated Desktops to cheap "throwaway" laptops, they are all around and not as hard to "fix up" as you m…
In this article we will discuss all things related to StageFright bug, the most vulnerable bug of android devices.
This video discusses moving either the default database or any database to a new volume.
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now