• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 236
  • Last Modified:

Local Administrator vs Group Policy Lockdown Practices

I am wondering what common practice is as far rights on client pcs, not necessarily servers.  In the past we were allowing our users to be a local administrator on their own pc since some of their software would not run with lesser priveleges.  It seems now that most of their software will run as a power user, so we have switched everyone over to a power user to tighten security and prevent them from making changes.  Now what I am wondering is why not leave the user as a local administrator on their own computer and use group policy to lockdown it down.

It would seem like I would have more flexibility of what I want the user to do and what I don't want them to do.  But, there may also be things a local admin can do that a group policy could not prevent.  Like software installations.

One thing I noticed as a power user is the user cannot download windows updates.  So if the user is only a power user and gp is set to automatically download updates, will it work because of the user rights?

I suppose I am just trying to find out the best practices or what everyone else does regarding permission level on their client pc's.

2 Solutions
Naser GabajE&P Senior Software SpecialistCommented:
Greetings ohmErnie,

From my point of view, what you are doing is right, except regarding updates, I use instead GFI Languard as a third party software, believe me man it really make me very happy and remove all the headache of updating your clients.

Good Luck!

ohmErnieAuthor Commented:
I was just throwing out the updates as an example.  We are in the process of getting SMS to do our windows updating.

I really want to know if I should user a GP on top of a power user or a local admin.
The PC itself is more protected from malicious activity when a user is a power user vs local admin regarless of GPO settings since some vulnerabilities can only have the permissions of the currently logged on user. I recommend power user unless local admin is absolutely necessary. As with everything there's always a flexibility / usability tradeoff.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: SQL Server Core 2016

This course will introduce you to SQL Server Core 2016, as well as teach you about SSMS, data tools, installation, server configuration, using Management Studio, and writing and executing queries.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now