Solved

Power users versus local administrators group

Posted on 2011-09-11
7
2,557 Views
Last Modified: 2012-08-13
Hi guys,
Hope you are all well and can help.
Our company has historically given all it's users local admin access to their machines.
As an IT department, we have struggled to put the case to the powers that be, that is is not best practice in any sense.
The reason they have decided on this is to allow users to install applications.

My questions to you guys are these....

1) Would we be better off removing standard users from being local admins, and instead granting them membership of the Power Users group?

2) In what ways would we be better off?

3) What limitations would there be if we did this in terms of what a Power Users group cannot do and what the local admins group CAN do?

By knowing the real difference between these two groups capabilities would then give us a good idea on whether it is a viable thing to do or not.

Any help greatly appreciated.
0
Comment
Question by:Simon336697
7 Comments
 
LVL 11

Assisted Solution

by:X_layer
X_layer earned 125 total points
Comment Utility
Here describes the differences.
0
 
LVL 3

Accepted Solution

by:
Thomas_Roes earned 125 total points
Comment Utility
Your not mentioning if you are talking about XP of 7 clients.

1) Defenitly
2) Your users can change (remove / change password) of a local administrator account, keeping it save for software / your own (IT department) pusposes
3) Very different story for XP and 7:
[from microsofts site, XP:
Power Users

Members of the Power Users group can create user accounts, but can modify and delete only those accounts they create. They can create local groups and remove users from local groups they have created. They can also remove users from the Power Users, Users, and Guests groups.

They cannot modify the Administrators or Backup Operators groups, nor can they take ownership of files, back up or restore directories, load or unload device drivers, or manage the security and auditing logs.
[same site: about 7:
By default, members of this group have no more user rights or permissions than a standard user account. The Power Users group in previous versions of Windows was designed to give users specific administrator rights and permissions to perform common system tasks. In this version of Windows, standard user accounts inherently have the ability to perform most common configuration tasks, such as changing time zones. For legacy applications that require the same Power User rights and permissions that were present in previous versions of Windows, administrators can apply a security template that enables the Power Users group to assume the same rights and permissions that were present in previous versions of Windows.
[/end site quote]

http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/lsm_local_groups.mspx?mfr=true

http://technet.microsoft.com/en-us/library/cc771990.aspx

I don't think your users should be doing anything that requires local administrative rights. In an AD environment, you are of cause is a position to grant the extra rights you need to the user group of power user group.

Thomas Roes

0
 
LVL 1

Author Comment

by:Simon336697
Comment Utility
Thanks so much guys for both your kind help.
Thomas, our users are XP and Windows 7.
They are used to installing their own software, and install their own printers.
Management have signed this off, so we need to keep providing this ability to them of installing software and printers. Would the power users give them this?
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 7

Assisted Solution

by:hirenvmajithiya
hirenvmajithiya earned 125 total points
Comment Utility
What is Power User(a short description):

Power Users have less system access than Administrators but more than Users. By default, members of this group have Read/Write permissions to other parts of the system in addition to their own profile.
The default security settings for Power Users are backward compatible with the default security settings for Users in the Windows NT 4.0 operating system. This allows Power Users to run legacy applications that are not certified for Windows XP Professional and therefore cannot be run under the more secure Users context.
Power Users can perform many system-wide operations, such as changing system time and display settings, and creating user accounts and shares. Power Users also have Modify access to:
HKEY_LOCAL_MACHINE\Software
Program files
%windir%
%windir%\System32
Although Power Users have Modify access to the %windir% and %windir%\System32 directories, they have Read-only access to the files that are installed in these directories during Windows XP Professional text-mode setup. This allows noncertified applications to write new files into the system directories but prevents Power Users from modifying the Windows XP Professional system files.
While Power Users have the permissions necessary to install most applications, not all application installations will succeed. For example, many applications check for explicit membership in the Administrators group before installing. Other applications attempt to replace operating system files, which Power Users cannot do. Finally, because Power Users cannot install services, they cannot install applications that have a service component.
To install local printer drivers, you need to be a member of the Power Users or Administrators group and have the Load and unload device drivers privilege assigned to you.
To add the Load and unload device drivers privilege for Power Users
In Control Panel, click Performance and Maintenance, click Administrative Tools, and then double-click Local Security Policy.
In the console tree, double-click Local Policies, and then double-click User Rights Assignment.
In the right pane, right-click the Load and unload device drivers policy, and then click Properties.
Click Add, enter the Power Users group, and then click OK.
Like Users, Power Users are not allowed to access data stored in other users’ profiles.

Hiren
0
 
LVL 24

Assisted Solution

by:Sandeshdubey
Sandeshdubey earned 125 total points
Comment Utility
Just adding user to power users group will not allow user to install software/pinter,you need to add user to Local admin group to achieve the same.

You can install software and add printer without adding user the admin or power users group.

To install software you can deploy the software via Software Installation feature in Group Policy, startup script or look for a professional software distribution solution by a third-party software provider.
Refer this link for more details:http://www.frickelsoft.net/blog/?p=29
Software installation GPO:http://support.microsoft.com/kb/816102

For the printer you can share the printer and add permission on the printer.The user can  map the printer in there profile.You can also deploy GPO to map the printer or you can create script to map the printers.
0
 
LVL 3

Expert Comment

by:Thomas_Roes
Comment Utility
"They are used to installing their own software, and install their own printers. Management have signed this off . . . ."

Then it all boils down to this:

Your users need an administrative account.

Modern best practise is to only login with your administrative account for administrative tasks.
For day-to-day use, use an normal user account.

Chances are that your users will not want to use 2 accounts, and your management wil not force them to do so.

My solution is simple:

Tell your management that their "OK"  to use local administrative accounts on a day-to-day basis is bad for security, your advice is not to do so, to let users use a user account. If needed, supply users with an user and an administrative account. (Be sure not to let them use email on their administrative account, or they will never use their normal account).

Better, beef-up your software and device driver management from the network. Let your users do their job (i.e. earning money for the company so they can pay you) in stead of wasting time "administrating" their "own" pc.

historically, we had windows 98, windows 2000 and XP. A lot of program's where tested bij their developpers with a local administrative account. But this is HISTORY.

In 2011, you should dump any program that needs local administrator rights on day-to-day basis. Virtually ALL security fails when users log in with local administrator rights.

In the very least, get your user all to windows 7 and KEEP UAC ON! That way, even with a local administrative account, you al least have to click "OK" when a virus tries to install itself.

Thomas Roes
0
 
LVL 1

Author Comment

by:Simon336697
Comment Utility
Thanks Thomas much appreciated answer mate.
Thanks x_layer.
Thanks sandesh.
And thank you hire.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

The saying goes a bad carpenter blames his tools. In the Directory Services world a bad system administrator, well, even with the best tools they’re probably not going to become an all star.  However for the system admin who is willing to spend a li…
Companies that have implemented Microsoft’s Active Directory need to ensure that the Active Directory is configured and operating properly. If there are issues found and not resolved, it eventually leads the components to fail or stop working and fi…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now