Local Administrator vs Group Policy Lockdown Practices

Posted on 2006-05-02
Last Modified: 2013-12-04
I am wondering what common practice is as far rights on client pcs, not necessarily servers.  In the past we were allowing our users to be a local administrator on their own pc since some of their software would not run with lesser priveleges.  It seems now that most of their software will run as a power user, so we have switched everyone over to a power user to tighten security and prevent them from making changes.  Now what I am wondering is why not leave the user as a local administrator on their own computer and use group policy to lockdown it down.

It would seem like I would have more flexibility of what I want the user to do and what I don't want them to do.  But, there may also be things a local admin can do that a group policy could not prevent.  Like software installations.

One thing I noticed as a power user is the user cannot download windows updates.  So if the user is only a power user and gp is set to automatically download updates, will it work because of the user rights?

I suppose I am just trying to find out the best practices or what everyone else does regarding permission level on their client pc's.

Question by:ohmErnie
    LVL 15

    Accepted Solution

    Greetings ohmErnie,

    From my point of view, what you are doing is right, except regarding updates, I use instead GFI Languard as a third party software, believe me man it really make me very happy and remove all the headache of updating your clients.

    Good Luck!

    LVL 1

    Author Comment

    I was just throwing out the updates as an example.  We are in the process of getting SMS to do our windows updating.

    I really want to know if I should user a GP on top of a power user or a local admin.
    LVL 5

    Assisted Solution

    The PC itself is more protected from malicious activity when a user is a power user vs local admin regarless of GPO settings since some vulnerabilities can only have the permissions of the currently logged on user. I recommend power user unless local admin is absolutely necessary. As with everything there's always a flexibility / usability tradeoff.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Highfive + Dolby Voice = No More Audio Complaints!

    Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

    No security measures warrant 100% as a "silver bullet". The truth is we also cannot assume anything but a defensive and vigilance posture. Adopt no trust by default and reveal in assumption. Only assume anonymity or invisibility in the reverse. Safe…
    In a recent article here at Experts Exchange (, I discussed my nine-month sandbox testing of the Windows 10 Technical Preview, specifically with respect to r…
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
    This video discusses moving either the default database or any database to a new volume.

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now