Power users versus local administrators group

Posted on 2011-09-11
Last Modified: 2012-08-13
Hi guys,
Hope you are all well and can help.
Our company has historically given all it's users local admin access to their machines.
As an IT department, we have struggled to put the case to the powers that be, that is is not best practice in any sense.
The reason they have decided on this is to allow users to install applications.

My questions to you guys are these....

1) Would we be better off removing standard users from being local admins, and instead granting them membership of the Power Users group?

2) In what ways would we be better off?

3) What limitations would there be if we did this in terms of what a Power Users group cannot do and what the local admins group CAN do?

By knowing the real difference between these two groups capabilities would then give us a good idea on whether it is a viable thing to do or not.

Any help greatly appreciated.
Question by:Simon336697
LVL 11

Assisted Solution

X_layer earned 125 total points
ID: 36519889
Here describes the differences.

Accepted Solution

Thomas_Roes earned 125 total points
ID: 36519911
Your not mentioning if you are talking about XP of 7 clients.

1) Defenitly
2) Your users can change (remove / change password) of a local administrator account, keeping it save for software / your own (IT department) pusposes
3) Very different story for XP and 7:
[from microsofts site, XP:
Power Users

Members of the Power Users group can create user accounts, but can modify and delete only those accounts they create. They can create local groups and remove users from local groups they have created. They can also remove users from the Power Users, Users, and Guests groups.

They cannot modify the Administrators or Backup Operators groups, nor can they take ownership of files, back up or restore directories, load or unload device drivers, or manage the security and auditing logs.
[same site: about 7:
By default, members of this group have no more user rights or permissions than a standard user account. The Power Users group in previous versions of Windows was designed to give users specific administrator rights and permissions to perform common system tasks. In this version of Windows, standard user accounts inherently have the ability to perform most common configuration tasks, such as changing time zones. For legacy applications that require the same Power User rights and permissions that were present in previous versions of Windows, administrators can apply a security template that enables the Power Users group to assume the same rights and permissions that were present in previous versions of Windows.
[/end site quote]

I don't think your users should be doing anything that requires local administrative rights. In an AD environment, you are of cause is a position to grant the extra rights you need to the user group of power user group.

Thomas Roes


Author Comment

ID: 36519940
Thanks so much guys for both your kind help.
Thomas, our users are XP and Windows 7.
They are used to installing their own software, and install their own printers.
Management have signed this off, so we need to keep providing this ability to them of installing software and printers. Would the power users give them this?
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.


Assisted Solution

hirenvmajithiya earned 125 total points
ID: 36520759
What is Power User(a short description):

Power Users have less system access than Administrators but more than Users. By default, members of this group have Read/Write permissions to other parts of the system in addition to their own profile.
The default security settings for Power Users are backward compatible with the default security settings for Users in the Windows NT 4.0 operating system. This allows Power Users to run legacy applications that are not certified for Windows XP Professional and therefore cannot be run under the more secure Users context.
Power Users can perform many system-wide operations, such as changing system time and display settings, and creating user accounts and shares. Power Users also have Modify access to:
Program files
Although Power Users have Modify access to the %windir% and %windir%\System32 directories, they have Read-only access to the files that are installed in these directories during Windows XP Professional text-mode setup. This allows noncertified applications to write new files into the system directories but prevents Power Users from modifying the Windows XP Professional system files.
While Power Users have the permissions necessary to install most applications, not all application installations will succeed. For example, many applications check for explicit membership in the Administrators group before installing. Other applications attempt to replace operating system files, which Power Users cannot do. Finally, because Power Users cannot install services, they cannot install applications that have a service component.
To install local printer drivers, you need to be a member of the Power Users or Administrators group and have the Load and unload device drivers privilege assigned to you.
To add the Load and unload device drivers privilege for Power Users
In Control Panel, click Performance and Maintenance, click Administrative Tools, and then double-click Local Security Policy.
In the console tree, double-click Local Policies, and then double-click User Rights Assignment.
In the right pane, right-click the Load and unload device drivers policy, and then click Properties.
Click Add, enter the Power Users group, and then click OK.
Like Users, Power Users are not allowed to access data stored in other users’ profiles.

LVL 24

Assisted Solution

Sandeshdubey earned 125 total points
ID: 36520777
Just adding user to power users group will not allow user to install software/pinter,you need to add user to Local admin group to achieve the same.

You can install software and add printer without adding user the admin or power users group.

To install software you can deploy the software via Software Installation feature in Group Policy, startup script or look for a professional software distribution solution by a third-party software provider.
Refer this link for more details:
Software installation GPO:

For the printer you can share the printer and add permission on the printer.The user can  map the printer in there profile.You can also deploy GPO to map the printer or you can create script to map the printers.

Expert Comment

ID: 36522973
"They are used to installing their own software, and install their own printers. Management have signed this off . . . ."

Then it all boils down to this:

Your users need an administrative account.

Modern best practise is to only login with your administrative account for administrative tasks.
For day-to-day use, use an normal user account.

Chances are that your users will not want to use 2 accounts, and your management wil not force them to do so.

My solution is simple:

Tell your management that their "OK"  to use local administrative accounts on a day-to-day basis is bad for security, your advice is not to do so, to let users use a user account. If needed, supply users with an user and an administrative account. (Be sure not to let them use email on their administrative account, or they will never use their normal account).

Better, beef-up your software and device driver management from the network. Let your users do their job (i.e. earning money for the company so they can pay you) in stead of wasting time "administrating" their "own" pc.

historically, we had windows 98, windows 2000 and XP. A lot of program's where tested bij their developpers with a local administrative account. But this is HISTORY.

In 2011, you should dump any program that needs local administrator rights on day-to-day basis. Virtually ALL security fails when users log in with local administrator rights.

In the very least, get your user all to windows 7 and KEEP UAC ON! That way, even with a local administrative account, you al least have to click "OK" when a virus tries to install itself.

Thomas Roes

Author Comment

ID: 36528460
Thanks Thomas much appreciated answer mate.
Thanks x_layer.
Thanks sandesh.
And thank you hire.

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Resolve DNS query failed errors for Exchange
This article outlines the process to identify and resolve account lockout in an Active Directory environment.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question