How to manage Laptop users policy in term of local administrator right

Is there a way whereby a laptop user logon onto domain, the local right will be given as Power User. Once disconnected from office network, the local right will change from Power User to local administrator. Note: this use domain username and password logon without creating another same username in local machine.
LVL 1
chekfuAsked:
Who is Participating?
 
Rich RumbleConnect With a Mentor Security SamuraiCommented:
We have used several different methods to combat problems such as this... Laptop users sometimes need to assign an IP statically, or change something in the network settings for example, and a power user cannot do this. There are even occasions where software will need to be installed suddenly that cannot be installed by a power user.

If you have a 24x7 helpdesk, the user can call the help-desk and have the helpdesk VNC, or remote desktop to the PC and do what is needed, this however won't always work as again the user may need to have network settings changed befor they can even get an IP, so remote-control software won't work in this case, and the HD will have to give the user the local admin pass and walk them through the process. Or the firewall needs modified etc..

If there are common task's that the user needs to preform, you can try the run-as VBS scripts listed here: http://www.xinn.org/RunasVBS.html The network settings and control panel however cannot be accessed using this method however. There are various control panel applets that will work with this method, however not all of them can be called this way.

M$ has written several utilities that can help you run apps with runas, the first uses runas to run apps in a lower privileged account while be logged on as a higher privileged account
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dncode/html/secure11152004.asp
The second, is not likely to be used but I should mention it anyway... it requires the user to know the local admin pass...
http://blogs.msdn.com/aaron_margosis/archive/2004/07/24/193721.aspx

This  one can be used by trusted persons... meaning you have to trust them enough not to abuse the power it gives... https://sourceforge.net/projects/runasadmin
There is also ProcessExplorer/PsExec: http://www.sysinternals.com/blog/2006/03/running-as-limited-user-easy-way.html
And runAs has a "savecred" switch that is really a big hole... as it will allow anything to be run as the admin if your not careful...
http://www.derkeiler.com/Mailing-Lists/NT-Bugtraq/2003-07/0069.html

As always, security is a tradeoff between ease of use, and following your own guidelines. Security is a process not a program, so you have to keep that in mind. If you think your users may be too "savvy" and figure out how these tools work or how to abuse them, then you'll need to put inplace other checks, like a logon script that can alert you to approved software being installed...
http://www.xinn.org/logonscripting101.html  http://xinn.org/logonscripting102.html
-rich
0
 
dmcoopCommented:
Interesting.  

I'm posting a response here mainly because I want to see what the answer is going to be.  Sorry I do not have one.

checkfu . . . why do you want to do this . . . if you don't mind me asking?

0
 
chekfuAuthor Commented:
Set local administrator for any user is not allow. There is no issue for desktop computer user. Only, the laptop user find many inconvience to operate outside office network such as they cannot perform program installation, or cannot change setttings because it is dimmed

Is there a way to resolve this management scenario? How to do? Please advice!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.