local admin rights

Posted on 2009-05-15
Last Modified: 2013-11-05
I am compiling a checklist that we want our domain/network admins to consider before authorising any requests from users as to whether they should or should not be allowed local admin rights on their PC. Have any of you done a similar exercise in your organisation and what are key issues you consider that give the end user a yes or no as to whether their request is appropriate (to ensure we havent overlooked anything).
Question by:pma111
LVL 21

Accepted Solution

snusgubben earned 100 total points
ID: 24394477
Two thoughts:

1. When a user is local admin on a PC the risk to get a virus infection i higher. This can result in infecting files in file shares, e-mail spamming and brute'n force attacks in your internal network.

2. This will also give the user the ability to install software locally. This can result in slowing down the PC. A slow PC result in a slow working person.

Author Comment

ID: 24394658
Thanks snusgubben, I'll see if anything else gets added by others...
LVL 27

Assisted Solution

bluntTony earned 200 total points
ID: 24394947

I agree with snusgubben - elevated user rights = elevated risk. What case would you consider acceptable to have user as a local admin?

What reasons are your users giving to be a local admin? Depending on the requests, you might be able to be more granular in granting certain rights.

Author Comment

ID: 24395080
Hi bluntTony:

The main reasons we are getting range from certain apps not working properly unless they have local admin rights, certain functionality within software and apps not working without local admin rights, and some bizarre ones that dont seem to be justified which have been point blank rejected.

Out of interest then, I'd be interested to know which scenarios / reasons you agree with the user and grant a user local admin, and which scenarios / reasons you dont.

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.


Assisted Solution

Froggy_chris earned 100 total points
ID: 24395115

I usually stick to the the policy: No rights for users except the rights they must have to work. That said, I haven't met yet any situation where the user has to be Local Admin. So if the user has not to be, he won't be ":)

Security has to be thought is a "reverse"way.. so do not think of reason why they shuld not be admin, but think in term of reason why they should be.

A big think you habe to bear in mind (if you're not using App virtualisation) : the extensive tests for new application. there still is a lot of app that won't work properly (you offen have to play with Procmon and find out waht is accessed). then permission for a given app can be arranged through a given GPO for the users.

LVL 27

Assisted Solution

bluntTony earned 200 total points
ID: 24395215
In general I would say there are not many cases where standard users should have admin rights. Identify the tasks that users need to perform and grant those rights accordingly through group membership and local/group policy.

I suppose the correct answer for your problem would be to identify exactly where the problems are in the file system/registry that are causing the access problems in the software and relax the security on them. From this you can create a security template you can then apply to your workstations. I know this is easier said than done though.

However, if the software is quite old, it may be that it's based on the old NT4 security model. This can cause problems on newer systems where seemingly harmless processes require local admin rights.

MS's fix for this is the compatws.inf security template in C:\windows\security\templates. Sometimes applying this polices relaxes the security on certain files/reg keys and allows the older apps to work for non-admins. Like I say though, this may not be applicable to you.

Assisted Solution

slinkygn earned 100 total points
ID: 24396674

Is a great resource for solutions for programs that insist on running in Administrator (or Power User) accounts.  It is much better to give limited users the specific permissions to the resources they need to run those specific programs than to give them blanket privileges to everything on the system for just a few programs.  The site also mentions the LUABuglight program, which allows you to figure out the specific access permissions yourself for programs that aren't listed.

For a much niftier commercial solution, Privilege Manager from BeyondTrust ( allows you to configure per-program permissions, so you can easily set programs up to have what access level they need to run while leaving users with limited accounts.
LVL 27

Expert Comment

ID: 24396750
Like the link sliknygn.

I noticed Quickbooks was on the 'hall of shame' list. This app I had to work around by applying compatws.inf.

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Losing network connectivity 8 76
ADFS Redirection 4 32
Distribution groups exchange 2013 6 48
Identify disabled AD users with PowerShell 6 39
Introduction You may have a need to setup a group of users to allow local administrative access on workstations.  In a domain environment this can easily be achieved with Restricted Groups and Group Policies. This article will demonstrate how to…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now