• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 234
  • Last Modified:

Local Administrator vs Group Policy Lockdown Practices

I am wondering what common practice is as far rights on client pcs, not necessarily servers.  In the past we were allowing our users to be a local administrator on their own pc since some of their software would not run with lesser priveleges.  It seems now that most of their software will run as a power user, so we have switched everyone over to a power user to tighten security and prevent them from making changes.  Now what I am wondering is why not leave the user as a local administrator on their own computer and use group policy to lockdown it down.

It would seem like I would have more flexibility of what I want the user to do and what I don't want them to do.  But, there may also be things a local admin can do that a group policy could not prevent.  Like software installations.

One thing I noticed as a power user is the user cannot download windows updates.  So if the user is only a power user and gp is set to automatically download updates, will it work because of the user rights?

I suppose I am just trying to find out the best practices or what everyone else does regarding permission level on their client pc's.

2 Solutions
Naser GabajCommented:
Greetings ohmErnie,

From my point of view, what you are doing is right, except regarding updates, I use instead GFI Languard as a third party software, believe me man it really make me very happy and remove all the headache of updating your clients.

Good Luck!

ohmErnieAuthor Commented:
I was just throwing out the updates as an example.  We are in the process of getting SMS to do our windows updating.

I really want to know if I should user a GP on top of a power user or a local admin.
The PC itself is more protected from malicious activity when a user is a power user vs local admin regarless of GPO settings since some vulnerabilities can only have the permissions of the currently logged on user. I recommend power user unless local admin is absolutely necessary. As with everything there's always a flexibility / usability tradeoff.

Featured Post

Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now