We help IT Professionals succeed at work.

Check out our new AWS podcast with Certified Expert, Phil Phillips! Listen to "How to Execute a Seamless AWS Migration" on EE or on your favorite podcast platform. Listen Now

x

Admin Rights Best Practices

Medium Priority
1,912 Views
Last Modified: 2018-09-14
We have a broad range of users from developers and testers to Desktop Support, etc. Apart from security groups which allow domain level access for help desk and users, we have the need for local admin rights on the machines.

I know that best practice is to determine what access/permissions are needed on the local level and grant that access without the use of local admin rights, however, we are not there yet.

We are planning on using a bang account (second account) such as sfarazmand!  We want to limit domain access as well, so that users are not using the admin account as their default.

The question is which is best practice; to use a domain account or a local account. What are pros and cons of each
Comment
Watch Question

CERTIFIED EXPERT
Top Expert 2013
Commented:
Unlock this solution with a free trial preview.
(No credit card required)
Get Preview
LBizzleMicrosoft Enterprise Administrator & AWS cloud Consultant
CERTIFIED EXPERT
Commented:
Unlock this solution with a free trial preview.
(No credit card required)
Get Preview
bluntTonyHead of ICT
Top Expert 2009
Commented:
Unlock this solution with a free trial preview.
(No credit card required)
Get Preview

Author

Commented:
The main concern is local admin rights (LAR) for users. One user per machine (flast! on workstation1). Users currently have admin rights and we have been cleaning this up. There are however those who state they need these rights and while we work with business units to find out exactly why, we still need to get the job done.
We currently (someone's poor design) have all the users (about 3000) in the users container. We cannot change this because there are about 40 applications pointing there. If we do use group policy it will require going through an approval process as well as management on a monthly basis.
The mentality was that with the second account, the account management group could simply disable the account, instantly removing LAR. We would be able to place the secondary accounts in an OU making it easy to see who has local admin rights which would enable us to ensure those accounts or access is not removed and that we can go back and review to see if they are still needed.
That's what we were thinking.
bluntTonyHead of ICT
Top Expert 2009
Commented:
Unlock this solution with a free trial preview.
(No credit card required)
Get Preview

Author

Commented:
To clarify with the OUs/Admins, I was talking about domain accounts (which would be the user account with an ! at the end) put in the OU and then using the new 2008 Group Policy Preferences to manage LAR. That would prevent the user from adding another admin account on the machine.
http://www.windowsecurity.com/articles/Securing-Local-Administrators-Group-Every-Desktop.html
 http://msforums.ph/blogs/phiwug/archive/2009/03/30/windows-server-2008-manageability-features-group-policy-preferences-part-2-the-local-administrator.aspx
Head of ICT
Top Expert 2009
Commented:
Unlock this solution with a free trial preview.
(No credit card required)
Get Preview

Author

Commented:
Thanks for all the input. This has me thinking a bit more and I will need to present all sides as options.  Thanks again

Commented:
I would love it if bluntTony saw my comment and replies! I am in a similar situation as the OP. I have an inherited AD that needs some attention. Domain Users was granted membership to the local Administrators group on all PC's. I have corrected that for 90% of my domain at this point by simply removing Domain Users from that policy. Now I need to implement a good method for allowing some users administrative access, like we commonly say, for those users that say they need local admin privs.

bluntTony, in your solution for the OP, you say just add/remove users to and from the OU. Are you in the mind set of the "user" needing access and they call the helpdesk, helpdesk tech moves the user into the appropriate OU and later removes them? If I understand this correctly, this would grant the user LAR for any PC that is also in the appropriate OU.

If so, what is the option for granting LAR for a user specifically on their PC? We have limited staff, we do not have a helpdesk, I am all-in for this methodology but unfortunately I don't think it will get approved. So, what I am trying to accomplish is to allow a small group of users, LAR to their PC ONLY and no one else's.
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a free trial preview!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.