ohmErnie
asked on
Local Administrator vs Group Policy Lockdown Practices
I am wondering what common practice is as far rights on client pcs, not necessarily servers. In the past we were allowing our users to be a local administrator on their own pc since some of their software would not run with lesser priveleges. It seems now that most of their software will run as a power user, so we have switched everyone over to a power user to tighten security and prevent them from making changes. Now what I am wondering is why not leave the user as a local administrator on their own computer and use group policy to lockdown it down.
It would seem like I would have more flexibility of what I want the user to do and what I don't want them to do. But, there may also be things a local admin can do that a group policy could not prevent. Like software installations.
One thing I noticed as a power user is the user cannot download windows updates. So if the user is only a power user and gp is set to automatically download updates, will it work because of the user rights?
I suppose I am just trying to find out the best practices or what everyone else does regarding permission level on their client pc's.
It would seem like I would have more flexibility of what I want the user to do and what I don't want them to do. But, there may also be things a local admin can do that a group policy could not prevent. Like software installations.
One thing I noticed as a power user is the user cannot download windows updates. So if the user is only a power user and gp is set to automatically download updates, will it work because of the user rights?
I suppose I am just trying to find out the best practices or what everyone else does regarding permission level on their client pc's.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I really want to know if I should user a GP on top of a power user or a local admin.