Solved

Pros and Cons of taking away local administrator rights on end user PCs

Posted on 2006-06-27
3
1,660 Views
Last Modified: 2008-02-07
We are running active directory on our network.  What are the pros and cons of taking away local admin rights on our end user PCs?  We want to prevent spyware and unauthorized software installation but are scared our help desk will be deluged with calls with problems (printer installs, custom software not working, etc.).

Thanks!
0
Comment
Question by:Lotus30306
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 17

Assisted Solution

by:jburgaard
jburgaard earned 150 total points
ID: 16996993
In an ideal world the users would use - and the admins  admin.
Unfortunately a lot of programs on our scool demand the user having high priv.'s.

So we end up asigning the 'interactive user' local admin rigths.

On top of that we impose a small amount of GPO restrictions.

-And ghostcast fresh images quite often.

Much depend on YOUR environment.
Is a fresh image con.'d good or real bad?
Are the users responsable and sort of knowing what they are dooing?
0
 
LVL 2

Accepted Solution

by:
prickly earned 200 total points
ID: 16999134
In our evironment users do not have admin rights. We failrly regularly get calls asking how to get software that is not packaged or for more recent versions of already packaged software.

Some user's need power user rights for particular software and other's need admin rights all of the time (developers need to install and test for example) but I don't think that a vast amount of our software needs admin rights to run. I don't often have to assign temporary admin rights directly to users though I do frequently use 'run as' when connected to users machines to troubleshoot incidents. We have people wanting to install home printers on laptops and that kind of thing too.

We still experience some spyware and viruses - but not that much. Some software still manages to install without admin rights - such as google toolbar etc and we get users still trying to install stuff like google earth to network drives without admin priv.

I guess because it's part of our day it does not seem like that much of a burden. We can get by recreating windows profiles for some issues and we do still have to re-image machines and provide loaner machines in the meantime.

I think that giving some of our users admin rights would result in a lot more work - even without admin rights a few manage to break things quite regularly.
0
 
LVL 1

Assisted Solution

by:Dave-sysadm
Dave-sysadm earned 150 total points
ID: 16999419
I would agree with prickly, that it is better to retain admin rights, and keep control of the user environment.   You can allow users to install printers I believe in secpol, (secpol.msc, local, security, disable "prevent users from installing printer drivers").

Additionally, all software that I have ever used can be fully utilised without the need for admin rights, after some tinkering.   Most software problems of this nature, are due to default file permissions.   Such as profile hidden folders, program files, spool folders, winnt or system32 folders.   Additionally, sometimes giving the user admin rights whilst they install some software, can work (PDA software springs to mind).   I think the only software I have problems with that anyone would of heard of are, AutoCad, (various suites up to the current) and photodraw, but a fair few others, and they have all be overcome.
0

Featured Post

Now Available: Firebox Cloud for AWS and FireboxV

Firebox Cloud brings the protection of WatchGuard’s leading Firebox UTM appliances to public cloud environments. It enables organizations to extend their security perimeter to protect business-critical assets in Amazon Web Services (AWS).

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Website and email setup 4 61
802.1X auth setup and configuration 3 42
Exchange2013 MAPI 6 68
Need a modeling tool 2 43
This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
Ransomware is a malware that is again in the list of security  concerns. Not only for companies, but also for Government security and  even at personal use. IT departments should be aware and have the right  knowledge to how to fight it.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

696 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question