[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1473
  • Last Modified:

Removing local admin rights - best practice?

I am a domain admin on our network.  When logged into my own XP box I am able to do installs.  This seems to be true even if I remove local admin rights from my account.  I've read that it's best not to run with local admin rights so as to prevent unwanted installs, malware for instance.  But how do I accomplish it?  I could create a NEW account on this box, but then I'd be missing all the docs and such from the current profile.  I would prefer to just adjust my access rights on the current profile, but like I mentioned above, just removing local admin rights didn't seem to accomplish this...I was still able to perform an install.

So bottom line...seeking "best practices" with regards to being a domain admin, but only wanting to run with restricted rights day to day...

gary
0
garystark
Asked:
garystark
1 Solution
 
pablovrCommented:
Suggestion is to leave the local "Administrator" account for administration purposes and regularly use a limited user account.
When needed you can execute commands from the limited user account using the "Run as" command:
http://support.microsoft.com/kb/305780

Regarding your files, you can use the "Transfer files and setting wizard":
http://support.microsoft.com/kb/293118
0
 
snoopfroggCommented:
The Domain Admins group is added to the local administrators group on domain-joined workstations by default, and you can't remove the Domain Admins group from the local administrators.

For administrators, I prefer to create two domain-based accounts, one with administrative rights (not Domain Admin level) and one with typical Domain User rights.  For normal use, administrators can use the lower privileged account to prevent accidental deletions and malware installation and/or propagation.  When administrators need to use higher privileges, they can log in with the separate higher privileged account.

A benefit to going this route is auditing administrator activity on the network is easier to accomplish.  The use of a Domain Admin account becomes a rarity, so when you see it being used in an interactive session in your security logs, and since there are far fewer auditing entries for its use, you'll be more likely to notice.
0
 
ITMaster1979Commented:
Try to use restricted groups from Group Policy
0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 
garystarkAuthor Commented:
So if I want to keep using my existing profile, email, etc, could I just demote myself after first creating myself a new domain admin account?  I'd rather keep my current account intact as much as possible, rather than try moving profiles around.

gary
0
 
snoopfroggCommented:
I would create the following two accounts:

1.  adminGStark - this account would have higer privileges and could be added to the local administrators group on workstations and members servers to accomplish administrative tasks.  I'd recommend against making this a domain administrator group member- use the existing domain administrator account for the times you need to perform work on domain controllers.

2.  GStark - Use this account as your typical day-to-day account.  Tie email to this account.  Once you log in once with this account, migrate your existing profile to this account and copy email from your existing account to this account's mailbox.

Yes, it is work up front to accomplish the switch, but you'll be much more secure.
0
 
pablovrCommented:
Anyway
0

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now