We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you two Citrix podcasts. Learn about 2020 trends and get answers to your biggest Citrix questions!Listen Now


Removing local admin rights - best practice?

Medium Priority
Last Modified: 2013-12-04
I am a domain admin on our network.  When logged into my own XP box I am able to do installs.  This seems to be true even if I remove local admin rights from my account.  I've read that it's best not to run with local admin rights so as to prevent unwanted installs, malware for instance.  But how do I accomplish it?  I could create a NEW account on this box, but then I'd be missing all the docs and such from the current profile.  I would prefer to just adjust my access rights on the current profile, but like I mentioned above, just removing local admin rights didn't seem to accomplish this...I was still able to perform an install.

So bottom line...seeking "best practices" with regards to being a domain admin, but only wanting to run with restricted rights day to day...

Watch Question

Suggestion is to leave the local "Administrator" account for administration purposes and regularly use a limited user account.
When needed you can execute commands from the limited user account using the "Run as" command:

Regarding your files, you can use the "Transfer files and setting wizard":
The Domain Admins group is added to the local administrators group on domain-joined workstations by default, and you can't remove the Domain Admins group from the local administrators.

For administrators, I prefer to create two domain-based accounts, one with administrative rights (not Domain Admin level) and one with typical Domain User rights.  For normal use, administrators can use the lower privileged account to prevent accidental deletions and malware installation and/or propagation.  When administrators need to use higher privileges, they can log in with the separate higher privileged account.

A benefit to going this route is auditing administrator activity on the network is easier to accomplish.  The use of a Domain Admin account becomes a rarity, so when you see it being used in an interactive session in your security logs, and since there are far fewer auditing entries for its use, you'll be more likely to notice.
Try to use restricted groups from Group Policy


So if I want to keep using my existing profile, email, etc, could I just demote myself after first creating myself a new domain admin account?  I'd rather keep my current account intact as much as possible, rather than try moving profiles around.

I would create the following two accounts:

1.  adminGStark - this account would have higer privileges and could be added to the local administrators group on workstations and members servers to accomplish administrative tasks.  I'd recommend against making this a domain administrator group member- use the existing domain administrator account for the times you need to perform work on domain controllers.

2.  GStark - Use this account as your typical day-to-day account.  Tie email to this account.  Once you log in once with this account, migrate your existing profile to this account and copy email from your existing account to this account's mailbox.

Yes, it is work up front to accomplish the switch, but you'll be much more secure.

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts

Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.