Link to home
Start Free TrialLog in
Avatar of dissolved
dissolved

asked on

Running users as local admin

Here at work, we are running every user as a local admin on their PCs (we are on active directory, so they are just regular users).  We run them on local admins because if we didnt, a lot of their programs wouldnt run. (lot of state government software). Also, we had a problem with the office suite if we didnt.

Does anyone know how to remedy this?  Furthermore, they will not listen to me regarding implementing some GPOs. Now all the users are installing anything they want on the PCs. Making my life harder!!
Avatar of Heem14
Heem14

You need to address this with company security policy - from Management down. This isn't going to be something you are going to be able to handle yourself. Depending on your industry you may be required to deal with certain regulations for network security - hipaa for example.

There should be no problem running office - or any other Microsoft product - with regular user rights. If there is, something is not setup right. I'd be interested in knowing what error messages you are getting. As for third party applications - some work and some don't. I would call the vendors and make sure that you are on the latest version, and be quite vocal about the software not functioning properly as a regular user - In MY opinion - if a software won't work as a regular user - IT DOESNT WORK AT ALL, and the programmers need a few lessons in software development and basic security principals.

So, the way I see it - you are not fighting a technical battle here - you are fighting a political one. Without support from higher up management - you are not going to get very far - scream until you are blue in the face. If that doesnt work, get your resume out there and find yourself another job - be very clear as to why you left the company in your exit interview.
The way to remedy this is to purchase software that is designed to run on windows 2000/XP with a user account.  There is no way around this by tweaking the OS,,, simply b/c if the 3rd party software was designed to run as local admin (which alot are for some reason) then they can't be run as local user, bottom line.  I run a network with 1000s of users and all of them have to be given local admin rights b/c are major software we use was written to only work with local admin rights.  So we have to lock down what users can do at the domain level with GPOs.  This has proven to work very well since you can lock them down pretty tight with properly designed/applied GPOs.
I am a contractor that primarily works with Federal agencies. Are you a state, local or federal? You answer lies in Group Policies and many things can be changed to let them run the software without being able to install software. Everything from CD burning software to custom apps can work with the proper group policy. I may be able to point you in the right direction regarding getting your GPO's implemented with permissions from the top.

J
ASKER CERTIFIED SOLUTION
Avatar of Jeff Rodgers
Jeff Rodgers

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
"Copy the user account to the default user account and give everyone the right to use it."  do you mean the default user profile here?
Hi,
I'm in the Financial insdustry and we also had a third party software with the same requirements however, I gave admin rights in the registry for that software.

hk local machine ---->software----
On the menu bar Security----->permissions>>>

That should adress your concerns
Mikeleebrla ---> right... sorry bad choice of terminology.
Avatar of dissolved

ASKER

Thanks guys. I work for the state. I tried telling them about implementing GPOs, they dont listen.  I am getting fed up with what is going on. We have no network topology monitors either. So I've found some roguee WAPs.

Their primary problem is that office 2000/2003 wants to be run as admin. Is this normal or are they telling me incorrectly?

Thanks
That is NOT normal for office to not run as a regular user. We run it in a 1000 user envirornment and nobody has admin rights.
Jeff, so you are saying to:

1. Create local admin account and install all necessary programs
2. demote admin account to power user status and verify everything works
3. Copy the power user account , to the default user profile
4. delete all local users and profiles?
5. remove the users from Local Admins
6. Add the user's security group from AD, to the local power user group

Is that correct? Am I missing something?
Thanks
Heem14, do you install the programs under the users account? Or a local admin account? Are you in a domain?

I figured it wasnt normal, just wanted to be sure..
Thanks
We are in a domain. The applications have been installed either as the domain admin or a local admin - or installed give group policy - all 3 methods have caused no problems with office.
You may have an issue when Office wants to add components etc, and it need to install the additional components. When you first install Office you should do a Custom Install and be sure to install ALL components. In addition when you push or install Office Service Packs, always look for the Network Administration Version of the Service pack and install the whole thing. Do no use office update etc.

J
More or less yes that is correct...you don't delete the local user accounts on the PC though, only the domain user account profiles after you backup their data ( I would copy their profiles elsewhere, just to be sure!)

You would want those same Domain User Accounts removed from the Local Administrator Group.

And then add the Domain Users group to the Local Power Users group.

Most MS Office apps, want to be run one time as Administrator... it adjusts some files on first startup, after that though you shouldn't have any problems.



Copy the user account to the default user account and give everyone the right to use it."  do you mean the default user profile here?  

Mikeleebrla ---> right... sorry bad choice of terminology
 

this will do nothing for you,, b/c security rights come from active directory,  not from the "Default User" profile,, all you accomplish by copying the "Default User" profile is giving each new user (one that hasn't logged into that particular workstation) the same background, desktop settings, ect,  they will still have the exact same security rights as before.
Mikeleebrla--->Yes some security rights come from Active Directory, some also come from the local PC.  I can be a domain user and a local adminstrator and have minimal rights on the domain and full control over my PC.

Per the question..."we are running every user as a local admin on their PCs (we are on active directory, so they are just regular users).  "

As I mentioned in my first post, one of the first things I would do is peel back the local access rights of those users who are "regular users" in active directory, so that they are no longer in the Local Adminstrators group.

One of the issues raised in the question is the reason why these people have admin rights in the first place.  SO that they can install and run their software.  By creating a local default user profile with eveything configured including software, you take away their need to be local admins.

In terms of applying the Everyone permissions to the new default user profile, the person who creates a profile has ownership and full control over it, no one else does until you give it to them.  

Here let me provide you with a little reading ...
How to Create a Base user profile for All Users.
http://support.microsoft.com/default.aspx?scid=kb;en-us;168475&Product=winxp
How to Create a Custom Default User Profile
http://support.microsoft.com/default.aspx?scid=kb;en-us;319974&Product=winxp

There was a method to my madness... No really...
but NONE come from the default user profile
You are correct in regard to no rights coming from the default user profile ( you do however need to grant rights to use it though... see http://support.microsoft.com/default.aspx?scid=kb;en-us;168475&Product=winxp  for details).  However now that his users have already installed large amounts  of rubbish on their systems, it might be easier to clean house as it were.  Delete the largest portion of the junk which normally resides in the user profiles, uninstall the other stuff they have installed and have the users start fresh with a new preconfigured default user profile and diminished user rights ( I think I have mentioned the diminished user rights 3 or 4 times before ;) ) In my own world of  300+ users, I never give out admin rights in the first place. There is almost always a better option including having IT install software as the user.






Dissolved,

    Here is a link to someone with a similiar problem with Office. It does not discuss the Local Administrative Rights but, this issue would solve both for Office Users. His users were local admins and he had an issue with updates etc to Office, if his users were not Local Admins, they would have received permission issues. This resolves both problems, Office updates and installation and permissions.

https://www.experts-exchange.com/questions/21074165/Making-XP-Pro-act-like-98SE.html

J
Maybe automating a 'runas' script to change the registry keys or permissions will work for you.
I've used this in the past, but AD/GPO's are the way to go.  
Be careful exposing that username and password....
 
'Start of Script
'VBRUNAS.VBS
'v1.2 March 2001
'Jeffery Hicks
'jhicks@quilogy.com http://www.quilogy.com
'USAGE: cscript|wscript VBRUNAS.VBS Username Password Command
'DESC: A RUNAS replacement to take password at a command prompt.
'NOTES: This is meant to be used for local access. If you want to run a command
'across the network as another user, you must add the /NETONLY switch to the RUNAS
'command.

' *********************************************************************************
' * THIS PROGRAM IS OFFERED AS IS AND MAY BE FREELY MODIFIED OR ALTERED AS *
' * NECESSARY TO MEET YOUR NEEDS. THE AUTHOR MAKES NO GUARANTEES OR WARRANTIES, *
' * EXPRESS, IMPLIED OR OF ANY OTHER KIND TO THIS CODE OR ANY USER MODIFICATIONS. *
' * DO NOT USE IN A PRODUCTION ENVIRONMENT UNTIL YOU HAVE TESTED IN A SECURED LAB *
' * ENVIRONMENT. USE AT YOUR OWN RISK. *
' *********************************************************************************

On Error Resume Next
dim WshShell,oArgs,FSO

set oArgs=wscript.Arguments

if InStr(oArgs(0),"?")<>0 then
wscript.echo VBCRLF & "? HELP ?" & VBCRLF
Usage
end if

if oArgs.Count <3 then
wscript.echo VBCRLF & "! Usage Error !" & VBCRLF
Usage
end if

sUser=oArgs(0)
sPass=oArgs(1)&VBCRLF
sCmd=oArgs(2)

set WshShell = CreateObject("WScript.Shell")
set WshEnv = WshShell.Environment("Process")
WinPath = WshEnv("SystemRoot")&"\System32\runas.exe"
set FSO = CreateObject("Scripting.FileSystemObject")

if FSO.FileExists(winpath) then
'wscript.echo winpath & " " & "verified"
else
wscript.echo "!! ERROR !!" & VBCRLF & "Can't find or verify " & winpath &"." & VBCRLF & "You must be running Windows 2000 for this script to work."
set WshShell=Nothing
set WshEnv=Nothing
set oArgs=Nothing
set FSO=Nothing
wscript.quit
end if

rc=WshShell.Run("runas /user:" & sUser & " " & CHR(34) & sCmd & CHR(34), 2, FALSE)
Wscript.Sleep 30 'need to give time for window to open.
WshShell.AppActivate(WinPath) 'make sure we grab the right window to send password to
WshShell.SendKeys sPass 'send the password to the waiting window.

set WshShell=Nothing
set oArgs=Nothing
set WshEnv=Nothing
set FSO=Nothing

wscript.quit

'************************
'* Usage Subroutine *
'************************
Sub Usage()
On Error Resume Next
msg="Usage: cscript|wscript vbrunas.vbs Username Password Command" & VBCRLF & VBCRLF & "You should use the full path where necessary and put long file names or commands" & VBCRLF & "with parameters in quotes" & VBCRLF & VBCRLF &"For example:" & VBCRLF &" cscript vbrunas.vbs quilogyjhicks luckydog e:scriptsadmin.vbs" & VBCRLF & VBCRLF &" cscript vbrunas.vbs quilogyjhicks luckydog " & CHR(34) &"e:program filesscriptsadmin.vbs 1stParameter 2ndParameter" & CHR(34)& VBCRLF & VBCRLF & VBCLRF & "cscript vbrunas.vbs /?|-? will display this message."

wscript.echo msg

wscript.quit

end sub
'End of Script