Solved

Adding user to Local Administrator in workstation security risk

Posted on 2006-07-15
8
498 Views
Last Modified: 2008-02-01
I need to add the users to the local administrator group on their workstations. I know that this represent a security risk but I have no option. This is for a computer lab in a small university. The users need to be copying files to their flash drives and since they do not have local administrator rights they are not able to iinstall the flash drives. They need to get a person from IT to log as a local administrator. I need to do this in the safest way. What can I contol with GPO or any other way to give the user log in as local administrator the minimun control over the network resources. For instance I don't want then to be able to go the dos shell or to install executables.

Thanks for your help
0
Comment
Question by:falvarad
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
8 Comments
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 17116241
if you add to the local adminns group then you need to play with group policies a lot to counter the sec risk

find out what you want to block then use this reference
http://www.microsoft.com/downloads/details.aspx?FamilyID=7821C32F-DA15-438D-8E48-45915CD2BC14&displaylang=en

you also have a couple of quick options on adding users to the local admin groups in one hit

you can use restricted groups
http://www.windowsecurity.com/articles/Using-Restricted-Groups.html

or you can use this small tool
http://www.petri.co.il/a2lg.htm
0
 

Author Comment

by:falvarad
ID: 17117641
Thank you for your quick response.
We just need to add one user to the local administrator account. The students do not have an account in our Domain. We use only one account that log in the workstations automatically every time it is reboot so we can add this account to the Local Administrator using a GPO. We also have a software that will restore the computer to its original setting every time it reboots. Any software that the students intall or any changes to the configuration of the computer will be reset to its original settings. The problem is during the time the student is log in as local administrator they will have access to the dos shell and some other features. I need to get an idea what can they do to the network and what can I do to avoid it. All I need is for then to be able to install their "Flash Disk" if possible.
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 17118510
i see what you mean, with admin priviliges locally, they can't do all that much damage to your network structure, its more if they have admin priviliges on the domain that you should be worried about

for example, our users have local admin priv, but we counter what they can and can't do with group policies
0
Easy, flexible multimedia distribution & control

Coming soon!  Ideal for large-scale A/V applications, ATEN's VM3200 Modular Matrix Switch is an all-in-one solution that simplifies video wall integration. Easily customize display layouts to see what you want, how you want it in 4k.

 

Author Comment

by:falvarad
ID: 17118563
Jay Jay,

That is exactly what I need. To have an Idea what you guys counter with the group policies. If they are local administrator, they can installed software on their computers to sniff the network for instance.



0
 
LVL 48

Accepted Solution

by:
Jay_Jay70 earned 500 total points
ID: 17118700
whilst i am hesitant to actually post on here everything that we do as it is kind of big.....if you want to drop me an email i will send you our current GPO in .DOC format if you like, that way you can see some basic restrictions and add to yours whatever you like........you can probably go a lot heavier on your blocking of .exe and installs etc
0
 

Author Comment

by:falvarad
ID: 17118948
Jay Jay

What is your email address ? Or if you want, you can email it to frankyal@aol.com
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 17118961
my email is in my profile :)
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 17119183
Thankyou and Good luck
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A brief overview to explain gateways, default gateways and static routes OR NO - you CANNOT have two default gateways on the same server, PC or other Windows-based network device. In simple terms a gateway is formed when a computer such as a serv…
Sometimes you might need to configure routing based not only on destination IP address, but also on a combination of destination IP address (or hostname) and destination port number. I will describe a method how to accomplish this with free tools. …
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…
In a recent question (https://www.experts-exchange.com/questions/29004105/Run-AutoHotkey-script-directly-from-Notepad.html) here at Experts Exchange, a member asked how to run an AutoHotkey script (.AHK) directly from Notepad++ (aka NPP). This video…

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question