Users with Local Administrator rights.

Posted on 2009-12-16
Last Modified: 2013-12-04
The company I work for has grown quite a bit over the last few years. Three years ago our locations were linked via site-to-site vpn's,  a domain was created, and all users and computers were joined to that domain. We are a specialty company and most of our users are engineers or technicians that need the ability to install software, so all users have been setup as local administrators.

I started with the company two years ago and immediately pointed out the huge security problem with making users local administrators. The main problem is that all users can browse admin shares on all other computers, especially the executives' computers.

Users still need the ability to install software, but how can I lock down the domain to prevent users from browsing admin shares on other computers in the domain without stopping them from installing software?

Is there a white paper or best practices paper that I can use as a guideline implement a security policy?
Question by:brayn
    LVL 11

    Accepted Solution

    Local administrators can not browse the administrative shares in the computers where they are not administrators. Remove them from the local administrators group in those "executive computers".

    You could also disable the administrative shares

    You can use restricted groups by GPO to limit how is how in each computer.

    Author Comment

    I should have worded it a little differently. Domain Users are members of the local administrators group. Eventually we are going to remove some domain users from the local admins group, but most of our users will need to remain in order to have the ability to install software.

    Prior to submitting this question I have run some tests using restricted groups and that seems to be the best solution so far.
    LVL 5

    Expert Comment

    the strangest thing about this question is that

    why would a network admin allow users to install applications? it is totally wrong.
    you are saying that users need to be able to install applications and it sound like installing application is the only thing that your users do.

    giving this sort of access it not correct it is TOTALY WRONG go to your general manager and IT manager and hit them in the head and say it is not allowed.

    if i would know which company are you I would hack everything you have in your company.
    it is like welcoming all the viruses like walking naked in the middle of the city :)

    I am sorry for my hard words but it is true. I didnt want to offend you.


    Author Comment

    The reason that users need to be able to install applications is because most of our users are technicians who go out into the field and work on many different types of equipment. Sometimes they need to be able to install proprietary software in order to access and/or program the equipment. They are also on call and have to go out into the field at all hours of the night, so it would not be good to prevent them from being able to install software especially if they are out in the field at 2:00AM.
    LVL 11

    Expert Comment

    Hello again brayn. The wrong step here is to put domain users as local administrators. You should add each user to his own computer as a local administrator. That way they will be able to install softwares on their computers but won't have administrative rights in the LAN.

    Now when a user try to browse a C$ resource in another computer, that another computer have defined (by local policies) that only local administrators are able to access the C$ share. But local administrators are domain users, so any user in the domain can access the C$ share. If the number of executives' computers is small you can remove the Domain users group from the local administrators group in those computers. But to keep Domain users as local administrators will still be a mistake.

    Please, let me know if you can not undestand my english, it is not my native languate and the explanation can be a bit confusing.

    Author Comment

    I appreciate the responses. I have been working with restricted groups as I think this would be a better way to approach this. I have created user security groups and organized computers and laptops into OU's to which I applied group policies. This way a technician would be able to access another technicians admins share, but would not have access to a managers admin share. The technician also would not have local admin rights if they were to log into a managers computer. This will also allow me to more finely control a groups rights based on their title within the company.

    Author Comment

    The only problem with the restricted groups is a few users have had issues with their local profile after the restricted groups policy has been applied. In order to correct the problem I have to give the user permissions to the profile and then point the registry key back to the correct profile. I am going to have to submit another question as to why this is happening.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Looking for New Ways to Advertise?

    Engage with tech pros in our community with native advertising, as a Vendor Expert, and more.

    Communication between departments might not happen in two different languages, but they do exist in two different worlds. With different targets and performance goals the same phrase often means something completely different to each party. Learn ho…
    Ever wondered why Windows 8 and 10 don't seem to accept your GPO-based software deployment while Windows 7 does? Read on.
    how to add IIS SMTP to handle application/Scanner relays into office 365.
    This video discusses moving either the default database or any database to a new volume.

    760 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    11 Experts available now in Live!

    Get 1:1 Help Now