Removing local admin rights - best practice?

Posted on 2009-02-13
Last Modified: 2013-12-04
I am a domain admin on our network.  When logged into my own XP box I am able to do installs.  This seems to be true even if I remove local admin rights from my account.  I've read that it's best not to run with local admin rights so as to prevent unwanted installs, malware for instance.  But how do I accomplish it?  I could create a NEW account on this box, but then I'd be missing all the docs and such from the current profile.  I would prefer to just adjust my access rights on the current profile, but like I mentioned above, just removing local admin rights didn't seem to accomplish this...I was still able to perform an install.

So bottom line...seeking "best practices" with regards to being a domain admin, but only wanting to run with restricted rights day to day...

Question by:garystark
    LVL 9

    Expert Comment

    Suggestion is to leave the local "Administrator" account for administration purposes and regularly use a limited user account.
    When needed you can execute commands from the limited user account using the "Run as" command:

    Regarding your files, you can use the "Transfer files and setting wizard":
    LVL 11

    Expert Comment

    The Domain Admins group is added to the local administrators group on domain-joined workstations by default, and you can't remove the Domain Admins group from the local administrators.

    For administrators, I prefer to create two domain-based accounts, one with administrative rights (not Domain Admin level) and one with typical Domain User rights.  For normal use, administrators can use the lower privileged account to prevent accidental deletions and malware installation and/or propagation.  When administrators need to use higher privileges, they can log in with the separate higher privileged account.

    A benefit to going this route is auditing administrator activity on the network is easier to accomplish.  The use of a Domain Admin account becomes a rarity, so when you see it being used in an interactive session in your security logs, and since there are far fewer auditing entries for its use, you'll be more likely to notice.
    LVL 1

    Expert Comment

    Try to use restricted groups from Group Policy

    Author Comment

    So if I want to keep using my existing profile, email, etc, could I just demote myself after first creating myself a new domain admin account?  I'd rather keep my current account intact as much as possible, rather than try moving profiles around.

    LVL 11

    Accepted Solution

    I would create the following two accounts:

    1.  adminGStark - this account would have higer privileges and could be added to the local administrators group on workstations and members servers to accomplish administrative tasks.  I'd recommend against making this a domain administrator group member- use the existing domain administrator account for the times you need to perform work on domain controllers.

    2.  GStark - Use this account as your typical day-to-day account.  Tie email to this account.  Once you log in once with this account, migrate your existing profile to this account and copy email from your existing account to this account's mailbox.

    Yes, it is work up front to accomplish the switch, but you'll be much more secure.
    LVL 9

    Expert Comment


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Why You Should Analyze Threat Actor TTPs

    After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

    SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
    The article will include the best Data Recovery Tools along with their Features, Capabilities, and their Download Links. Hope you’ll enjoy it and will choose the one as required by you.
    This video shows how use content aware, what it’s used for, and when to use it over other tools.
    This video demonstrates how to use each tool, their shortcuts, where and when to use them, and how to use the keyboard to improve workflow.

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    12 Experts available now in Live!

    Get 1:1 Help Now