• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 587
  • Last Modified:

local admin rights

I am compiling a checklist that we want our domain/network admins to consider before authorising any requests from users as to whether they should or should not be allowed local admin rights on their PC. Have any of you done a similar exercise in your organisation and what are key issues you consider that give the end user a yes or no as to whether their request is appropriate (to ensure we havent overlooked anything).
5 Solutions
Two thoughts:

1. When a user is local admin on a PC the risk to get a virus infection i higher. This can result in infecting files in file shares, e-mail spamming and brute'n force attacks in your internal network.

2. This will also give the user the ability to install software locally. This can result in slowing down the PC. A slow PC result in a slow working person.
pma111Author Commented:
Thanks snusgubben, I'll see if anything else gets added by others...

I agree with snusgubben - elevated user rights = elevated risk. What case would you consider acceptable to have user as a local admin?

What reasons are your users giving to be a local admin? Depending on the requests, you might be able to be more granular in granting certain rights.
Free tool for managing users' photos in Office 365

Easily upload multiple users’ photos to Office 365. Manage them with an intuitive GUI and use handy built-in cropping and resizing options. Link photos with users based on Azure AD attributes. Free tool!

pma111Author Commented:
Hi bluntTony:

The main reasons we are getting range from certain apps not working properly unless they have local admin rights, certain functionality within software and apps not working without local admin rights, and some bizarre ones that dont seem to be justified which have been point blank rejected.

Out of interest then, I'd be interested to know which scenarios / reasons you agree with the user and grant a user local admin, and which scenarios / reasons you dont.


I usually stick to the the policy: No rights for users except the rights they must have to work. That said, I haven't met yet any situation where the user has to be Local Admin. So if the user has not to be, he won't be ":)

Security has to be thought is a "reverse"way.. so do not think of reason why they shuld not be admin, but think in term of reason why they should be.

A big think you habe to bear in mind (if you're not using App virtualisation) : the extensive tests for new application. there still is a lot of app that won't work properly (you offen have to play with Procmon and find out waht is accessed). then permission for a given app can be arranged through a given GPO for the users.

In general I would say there are not many cases where standard users should have admin rights. Identify the tasks that users need to perform and grant those rights accordingly through group membership and local/group policy.

I suppose the correct answer for your problem would be to identify exactly where the problems are in the file system/registry that are causing the access problems in the software and relax the security on them. From this you can create a security template you can then apply to your workstations. I know this is easier said than done though.

However, if the software is quite old, it may be that it's based on the old NT4 security model. This can cause problems on newer systems where seemingly harmless processes require local admin rights.

MS's fix for this is the compatws.inf security template in C:\windows\security\templates. Sometimes applying this polices relaxes the security on certain files/reg keys and allows the older apps to work for non-admins. Like I say though, this may not be applicable to you.

Is a great resource for solutions for programs that insist on running in Administrator (or Power User) accounts.  It is much better to give limited users the specific permissions to the resources they need to run those specific programs than to give them blanket privileges to everything on the system for just a few programs.  The site also mentions the LUABuglight program, which allows you to figure out the specific access permissions yourself for programs that aren't listed.

For a much niftier commercial solution, Privilege Manager from BeyondTrust (http://www.beyondtrust.com/) allows you to configure per-program permissions, so you can easily set programs up to have what access level they need to run while leaving users with limited accounts.
Like the link sliknygn.

I noticed Quickbooks was on the 'hall of shame' list. This app I had to work around by applying compatws.inf.

Featured Post

Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now