falvarad
asked on
Adding user to Local Administrator in workstation security risk
I need to add the users to the local administrator group on their workstations. I know that this represent a security risk but I have no option. This is for a computer lab in a small university. The users need to be copying files to their flash drives and since they do not have local administrator rights they are not able to iinstall the flash drives. They need to get a person from IT to log as a local administrator. I need to do this in the safest way. What can I contol with GPO or any other way to give the user log in as local administrator the minimun control over the network resources. For instance I don't want then to be able to go the dos shell or to install executables.
Thanks for your help
Thanks for your help
ASKER
Thank you for your quick response.
We just need to add one user to the local administrator account. The students do not have an account in our Domain. We use only one account that log in the workstations automatically every time it is reboot so we can add this account to the Local Administrator using a GPO. We also have a software that will restore the computer to its original setting every time it reboots. Any software that the students intall or any changes to the configuration of the computer will be reset to its original settings. The problem is during the time the student is log in as local administrator they will have access to the dos shell and some other features. I need to get an idea what can they do to the network and what can I do to avoid it. All I need is for then to be able to install their "Flash Disk" if possible.
We just need to add one user to the local administrator account. The students do not have an account in our Domain. We use only one account that log in the workstations automatically every time it is reboot so we can add this account to the Local Administrator using a GPO. We also have a software that will restore the computer to its original setting every time it reboots. Any software that the students intall or any changes to the configuration of the computer will be reset to its original settings. The problem is during the time the student is log in as local administrator they will have access to the dos shell and some other features. I need to get an idea what can they do to the network and what can I do to avoid it. All I need is for then to be able to install their "Flash Disk" if possible.
i see what you mean, with admin priviliges locally, they can't do all that much damage to your network structure, its more if they have admin priviliges on the domain that you should be worried about
for example, our users have local admin priv, but we counter what they can and can't do with group policies
for example, our users have local admin priv, but we counter what they can and can't do with group policies
ASKER
Jay Jay,
That is exactly what I need. To have an Idea what you guys counter with the group policies. If they are local administrator, they can installed software on their computers to sniff the network for instance.
That is exactly what I need. To have an Idea what you guys counter with the group policies. If they are local administrator, they can installed software on their computers to sniff the network for instance.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Jay Jay
What is your email address ? Or if you want, you can email it to frankyal@aol.com
What is your email address ? Or if you want, you can email it to frankyal@aol.com
my email is in my profile :)
Thankyou and Good luck
find out what you want to block then use this reference
http://www.microsoft.com/downloads/details.aspx?FamilyID=7821C32F-DA15-438D-8E48-45915CD2BC14&displaylang=en
you also have a couple of quick options on adding users to the local admin groups in one hit
you can use restricted groups
http://www.windowsecurity.com/articles/Using-Restricted-Groups.html
or you can use this small tool
http://www.petri.co.il/a2lg.htm