[Webinar] Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 357
  • Last Modified:

How to manage Laptop users policy in term of local administrator right

Is there a way whereby a laptop user logon onto domain, the local right will be given as Power User. Once disconnected from office network, the local right will change from Power User to local administrator. Note: this use domain username and password logon without creating another same username in local machine.
1 Solution

I'm posting a response here mainly because I want to see what the answer is going to be.  Sorry I do not have one.

checkfu . . . why do you want to do this . . . if you don't mind me asking?

chekfuAuthor Commented:
Set local administrator for any user is not allow. There is no issue for desktop computer user. Only, the laptop user find many inconvience to operate outside office network such as they cannot perform program installation, or cannot change setttings because it is dimmed

Is there a way to resolve this management scenario? How to do? Please advice!
Rich RumbleSecurity SamuraiCommented:
We have used several different methods to combat problems such as this... Laptop users sometimes need to assign an IP statically, or change something in the network settings for example, and a power user cannot do this. There are even occasions where software will need to be installed suddenly that cannot be installed by a power user.

If you have a 24x7 helpdesk, the user can call the help-desk and have the helpdesk VNC, or remote desktop to the PC and do what is needed, this however won't always work as again the user may need to have network settings changed befor they can even get an IP, so remote-control software won't work in this case, and the HD will have to give the user the local admin pass and walk them through the process. Or the firewall needs modified etc..

If there are common task's that the user needs to preform, you can try the run-as VBS scripts listed here: http://www.xinn.org/RunasVBS.html The network settings and control panel however cannot be accessed using this method however. There are various control panel applets that will work with this method, however not all of them can be called this way.

M$ has written several utilities that can help you run apps with runas, the first uses runas to run apps in a lower privileged account while be logged on as a higher privileged account
The second, is not likely to be used but I should mention it anyway... it requires the user to know the local admin pass...

This  one can be used by trusted persons... meaning you have to trust them enough not to abuse the power it gives... https://sourceforge.net/projects/runasadmin
There is also ProcessExplorer/PsExec: http://www.sysinternals.com/blog/2006/03/running-as-limited-user-easy-way.html
And runAs has a "savecred" switch that is really a big hole... as it will allow anything to be run as the admin if your not careful...

As always, security is a tradeoff between ease of use, and following your own guidelines. Security is a process not a program, so you have to keep that in mind. If you think your users may be too "savvy" and figure out how these tools work or how to abuse them, then you'll need to put inplace other checks, like a logon script that can alert you to approved software being installed...
http://www.xinn.org/logonscripting101.html  http://xinn.org/logonscripting102.html

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now