Removing local admin rights - best practice?

I am a domain admin on our network.  When logged into my own XP box I am able to do installs.  This seems to be true even if I remove local admin rights from my account.  I've read that it's best not to run with local admin rights so as to prevent unwanted installs, malware for instance.  But how do I accomplish it?  I could create a NEW account on this box, but then I'd be missing all the docs and such from the current profile.  I would prefer to just adjust my access rights on the current profile, but like I mentioned above, just removing local admin rights didn't seem to accomplish this...I was still able to perform an install.

So bottom line...seeking "best practices" with regards to being a domain admin, but only wanting to run with restricted rights day to day...

Who is Participating?
snoopfroggConnect With a Mentor Commented:
I would create the following two accounts:

1.  adminGStark - this account would have higer privileges and could be added to the local administrators group on workstations and members servers to accomplish administrative tasks.  I'd recommend against making this a domain administrator group member- use the existing domain administrator account for the times you need to perform work on domain controllers.

2.  GStark - Use this account as your typical day-to-day account.  Tie email to this account.  Once you log in once with this account, migrate your existing profile to this account and copy email from your existing account to this account's mailbox.

Yes, it is work up front to accomplish the switch, but you'll be much more secure.
Suggestion is to leave the local "Administrator" account for administration purposes and regularly use a limited user account.
When needed you can execute commands from the limited user account using the "Run as" command:

Regarding your files, you can use the "Transfer files and setting wizard":
The Domain Admins group is added to the local administrators group on domain-joined workstations by default, and you can't remove the Domain Admins group from the local administrators.

For administrators, I prefer to create two domain-based accounts, one with administrative rights (not Domain Admin level) and one with typical Domain User rights.  For normal use, administrators can use the lower privileged account to prevent accidental deletions and malware installation and/or propagation.  When administrators need to use higher privileges, they can log in with the separate higher privileged account.

A benefit to going this route is auditing administrator activity on the network is easier to accomplish.  The use of a Domain Admin account becomes a rarity, so when you see it being used in an interactive session in your security logs, and since there are far fewer auditing entries for its use, you'll be more likely to notice.
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

Try to use restricted groups from Group Policy
garystarkAuthor Commented:
So if I want to keep using my existing profile, email, etc, could I just demote myself after first creating myself a new domain admin account?  I'd rather keep my current account intact as much as possible, rather than try moving profiles around.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.