• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 592
  • Last Modified:

local admin rights

I am compiling a checklist that we want our domain/network admins to consider before authorising any requests from users as to whether they should or should not be allowed local admin rights on their PC. Have any of you done a similar exercise in your organisation and what are key issues you consider that give the end user a yes or no as to whether their request is appropriate (to ensure we havent overlooked anything).
5 Solutions
Two thoughts:

1. When a user is local admin on a PC the risk to get a virus infection i higher. This can result in infecting files in file shares, e-mail spamming and brute'n force attacks in your internal network.

2. This will also give the user the ability to install software locally. This can result in slowing down the PC. A slow PC result in a slow working person.
pma111Author Commented:
Thanks snusgubben, I'll see if anything else gets added by others...
bluntTonyHead of ICTCommented:

I agree with snusgubben - elevated user rights = elevated risk. What case would you consider acceptable to have user as a local admin?

What reasons are your users giving to be a local admin? Depending on the requests, you might be able to be more granular in granting certain rights.
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

pma111Author Commented:
Hi bluntTony:

The main reasons we are getting range from certain apps not working properly unless they have local admin rights, certain functionality within software and apps not working without local admin rights, and some bizarre ones that dont seem to be justified which have been point blank rejected.

Out of interest then, I'd be interested to know which scenarios / reasons you agree with the user and grant a user local admin, and which scenarios / reasons you dont.


I usually stick to the the policy: No rights for users except the rights they must have to work. That said, I haven't met yet any situation where the user has to be Local Admin. So if the user has not to be, he won't be ":)

Security has to be thought is a "reverse"way.. so do not think of reason why they shuld not be admin, but think in term of reason why they should be.

A big think you habe to bear in mind (if you're not using App virtualisation) : the extensive tests for new application. there still is a lot of app that won't work properly (you offen have to play with Procmon and find out waht is accessed). then permission for a given app can be arranged through a given GPO for the users.

bluntTonyHead of ICTCommented:
In general I would say there are not many cases where standard users should have admin rights. Identify the tasks that users need to perform and grant those rights accordingly through group membership and local/group policy.

I suppose the correct answer for your problem would be to identify exactly where the problems are in the file system/registry that are causing the access problems in the software and relax the security on them. From this you can create a security template you can then apply to your workstations. I know this is easier said than done though.

However, if the software is quite old, it may be that it's based on the old NT4 security model. This can cause problems on newer systems where seemingly harmless processes require local admin rights.

MS's fix for this is the compatws.inf security template in C:\windows\security\templates. Sometimes applying this polices relaxes the security on certain files/reg keys and allows the older apps to work for non-admins. Like I say though, this may not be applicable to you.

Is a great resource for solutions for programs that insist on running in Administrator (or Power User) accounts.  It is much better to give limited users the specific permissions to the resources they need to run those specific programs than to give them blanket privileges to everything on the system for just a few programs.  The site also mentions the LUABuglight program, which allows you to figure out the specific access permissions yourself for programs that aren't listed.

For a much niftier commercial solution, Privilege Manager from BeyondTrust (http://www.beyondtrust.com/) allows you to configure per-program permissions, so you can easily set programs up to have what access level they need to run while leaving users with limited accounts.
bluntTonyHead of ICTCommented:
Like the link sliknygn.

I noticed Quickbooks was on the 'hall of shame' list. This app I had to work around by applying compatws.inf.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Tackle projects and never again get stuck behind a technical roadblock.
Join Now