• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3176
  • Last Modified:

Power users versus local administrators group

Hi guys,
Hope you are all well and can help.
Our company has historically given all it's users local admin access to their machines.
As an IT department, we have struggled to put the case to the powers that be, that is is not best practice in any sense.
The reason they have decided on this is to allow users to install applications.

My questions to you guys are these....

1) Would we be better off removing standard users from being local admins, and instead granting them membership of the Power Users group?

2) In what ways would we be better off?

3) What limitations would there be if we did this in terms of what a Power Users group cannot do and what the local admins group CAN do?

By knowing the real difference between these two groups capabilities would then give us a good idea on whether it is a viable thing to do or not.

Any help greatly appreciated.
0
Simon336697
Asked:
Simon336697
4 Solutions
 
X_layerCommented:
Here describes the differences.
0
 
Thomas_RoesCommented:
Your not mentioning if you are talking about XP of 7 clients.

1) Defenitly
2) Your users can change (remove / change password) of a local administrator account, keeping it save for software / your own (IT department) pusposes
3) Very different story for XP and 7:
[from microsofts site, XP:
Power Users

Members of the Power Users group can create user accounts, but can modify and delete only those accounts they create. They can create local groups and remove users from local groups they have created. They can also remove users from the Power Users, Users, and Guests groups.

They cannot modify the Administrators or Backup Operators groups, nor can they take ownership of files, back up or restore directories, load or unload device drivers, or manage the security and auditing logs.
[same site: about 7:
By default, members of this group have no more user rights or permissions than a standard user account. The Power Users group in previous versions of Windows was designed to give users specific administrator rights and permissions to perform common system tasks. In this version of Windows, standard user accounts inherently have the ability to perform most common configuration tasks, such as changing time zones. For legacy applications that require the same Power User rights and permissions that were present in previous versions of Windows, administrators can apply a security template that enables the Power Users group to assume the same rights and permissions that were present in previous versions of Windows.
[/end site quote]

http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/lsm_local_groups.mspx?mfr=true

http://technet.microsoft.com/en-us/library/cc771990.aspx

I don't think your users should be doing anything that requires local administrative rights. In an AD environment, you are of cause is a position to grant the extra rights you need to the user group of power user group.

Thomas Roes

0
 
Simon336697Author Commented:
Thanks so much guys for both your kind help.
Thomas, our users are XP and Windows 7.
They are used to installing their own software, and install their own printers.
Management have signed this off, so we need to keep providing this ability to them of installing software and printers. Would the power users give them this?
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 
hirenvmajithiyaManager (System Administration)Commented:
What is Power User(a short description):

Power Users have less system access than Administrators but more than Users. By default, members of this group have Read/Write permissions to other parts of the system in addition to their own profile.
The default security settings for Power Users are backward compatible with the default security settings for Users in the Windows NT 4.0 operating system. This allows Power Users to run legacy applications that are not certified for Windows XP Professional and therefore cannot be run under the more secure Users context.
Power Users can perform many system-wide operations, such as changing system time and display settings, and creating user accounts and shares. Power Users also have Modify access to:
HKEY_LOCAL_MACHINE\Software
Program files
%windir%
%windir%\System32
Although Power Users have Modify access to the %windir% and %windir%\System32 directories, they have Read-only access to the files that are installed in these directories during Windows XP Professional text-mode setup. This allows noncertified applications to write new files into the system directories but prevents Power Users from modifying the Windows XP Professional system files.
While Power Users have the permissions necessary to install most applications, not all application installations will succeed. For example, many applications check for explicit membership in the Administrators group before installing. Other applications attempt to replace operating system files, which Power Users cannot do. Finally, because Power Users cannot install services, they cannot install applications that have a service component.
To install local printer drivers, you need to be a member of the Power Users or Administrators group and have the Load and unload device drivers privilege assigned to you.
To add the Load and unload device drivers privilege for Power Users
In Control Panel, click Performance and Maintenance, click Administrative Tools, and then double-click Local Security Policy.
In the console tree, double-click Local Policies, and then double-click User Rights Assignment.
In the right pane, right-click the Load and unload device drivers policy, and then click Properties.
Click Add, enter the Power Users group, and then click OK.
Like Users, Power Users are not allowed to access data stored in other users’ profiles.

Hiren
0
 
SandeshdubeySenior Server EngineerCommented:
Just adding user to power users group will not allow user to install software/pinter,you need to add user to Local admin group to achieve the same.

You can install software and add printer without adding user the admin or power users group.

To install software you can deploy the software via Software Installation feature in Group Policy, startup script or look for a professional software distribution solution by a third-party software provider.
Refer this link for more details:http://www.frickelsoft.net/blog/?p=29
Software installation GPO:http://support.microsoft.com/kb/816102

For the printer you can share the printer and add permission on the printer.The user can  map the printer in there profile.You can also deploy GPO to map the printer or you can create script to map the printers.
0
 
Thomas_RoesCommented:
"They are used to installing their own software, and install their own printers. Management have signed this off . . . ."

Then it all boils down to this:

Your users need an administrative account.

Modern best practise is to only login with your administrative account for administrative tasks.
For day-to-day use, use an normal user account.

Chances are that your users will not want to use 2 accounts, and your management wil not force them to do so.

My solution is simple:

Tell your management that their "OK"  to use local administrative accounts on a day-to-day basis is bad for security, your advice is not to do so, to let users use a user account. If needed, supply users with an user and an administrative account. (Be sure not to let them use email on their administrative account, or they will never use their normal account).

Better, beef-up your software and device driver management from the network. Let your users do their job (i.e. earning money for the company so they can pay you) in stead of wasting time "administrating" their "own" pc.

historically, we had windows 98, windows 2000 and XP. A lot of program's where tested bij their developpers with a local administrative account. But this is HISTORY.

In 2011, you should dump any program that needs local administrator rights on day-to-day basis. Virtually ALL security fails when users log in with local administrator rights.

In the very least, get your user all to windows 7 and KEEP UAC ON! That way, even with a local administrative account, you al least have to click "OK" when a virus tries to install itself.

Thomas Roes
0
 
Simon336697Author Commented:
Thanks Thomas much appreciated answer mate.
Thanks x_layer.
Thanks sandesh.
And thank you hire.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: CompTIA Healthcare IT Tech

This course will help prep you to earn the CompTIA Healthcare IT Technician certification showing that you have the knowledge and skills needed to succeed in installing, managing, and troubleshooting IT systems in medical and clinical settings.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now