Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


Power users versus local administrators group

Posted on 2011-09-11
Medium Priority
Last Modified: 2012-08-13
Hi guys,
Hope you are all well and can help.
Our company has historically given all it's users local admin access to their machines.
As an IT department, we have struggled to put the case to the powers that be, that is is not best practice in any sense.
The reason they have decided on this is to allow users to install applications.

My questions to you guys are these....

1) Would we be better off removing standard users from being local admins, and instead granting them membership of the Power Users group?

2) In what ways would we be better off?

3) What limitations would there be if we did this in terms of what a Power Users group cannot do and what the local admins group CAN do?

By knowing the real difference between these two groups capabilities would then give us a good idea on whether it is a viable thing to do or not.

Any help greatly appreciated.
Question by:Simon336697
LVL 11

Assisted Solution

X_layer earned 500 total points
ID: 36519889
Here describes the differences.

Accepted Solution

Thomas_Roes earned 500 total points
ID: 36519911
Your not mentioning if you are talking about XP of 7 clients.

1) Defenitly
2) Your users can change (remove / change password) of a local administrator account, keeping it save for software / your own (IT department) pusposes
3) Very different story for XP and 7:
[from microsofts site, XP:
Power Users

Members of the Power Users group can create user accounts, but can modify and delete only those accounts they create. They can create local groups and remove users from local groups they have created. They can also remove users from the Power Users, Users, and Guests groups.

They cannot modify the Administrators or Backup Operators groups, nor can they take ownership of files, back up or restore directories, load or unload device drivers, or manage the security and auditing logs.
[same site: about 7:
By default, members of this group have no more user rights or permissions than a standard user account. The Power Users group in previous versions of Windows was designed to give users specific administrator rights and permissions to perform common system tasks. In this version of Windows, standard user accounts inherently have the ability to perform most common configuration tasks, such as changing time zones. For legacy applications that require the same Power User rights and permissions that were present in previous versions of Windows, administrators can apply a security template that enables the Power Users group to assume the same rights and permissions that were present in previous versions of Windows.
[/end site quote]



I don't think your users should be doing anything that requires local administrative rights. In an AD environment, you are of cause is a position to grant the extra rights you need to the user group of power user group.

Thomas Roes


Author Comment

ID: 36519940
Thanks so much guys for both your kind help.
Thomas, our users are XP and Windows 7.
They are used to installing their own software, and install their own printers.
Management have signed this off, so we need to keep providing this ability to them of installing software and printers. Would the power users give them this?
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Assisted Solution

hirenvmajithiya earned 500 total points
ID: 36520759
What is Power User(a short description):

Power Users have less system access than Administrators but more than Users. By default, members of this group have Read/Write permissions to other parts of the system in addition to their own profile.
The default security settings for Power Users are backward compatible with the default security settings for Users in the Windows NT 4.0 operating system. This allows Power Users to run legacy applications that are not certified for Windows XP Professional and therefore cannot be run under the more secure Users context.
Power Users can perform many system-wide operations, such as changing system time and display settings, and creating user accounts and shares. Power Users also have Modify access to:
Program files
Although Power Users have Modify access to the %windir% and %windir%\System32 directories, they have Read-only access to the files that are installed in these directories during Windows XP Professional text-mode setup. This allows noncertified applications to write new files into the system directories but prevents Power Users from modifying the Windows XP Professional system files.
While Power Users have the permissions necessary to install most applications, not all application installations will succeed. For example, many applications check for explicit membership in the Administrators group before installing. Other applications attempt to replace operating system files, which Power Users cannot do. Finally, because Power Users cannot install services, they cannot install applications that have a service component.
To install local printer drivers, you need to be a member of the Power Users or Administrators group and have the Load and unload device drivers privilege assigned to you.
To add the Load and unload device drivers privilege for Power Users
In Control Panel, click Performance and Maintenance, click Administrative Tools, and then double-click Local Security Policy.
In the console tree, double-click Local Policies, and then double-click User Rights Assignment.
In the right pane, right-click the Load and unload device drivers policy, and then click Properties.
Click Add, enter the Power Users group, and then click OK.
Like Users, Power Users are not allowed to access data stored in other users’ profiles.

LVL 24

Assisted Solution

Sandeshdubey earned 500 total points
ID: 36520777
Just adding user to power users group will not allow user to install software/pinter,you need to add user to Local admin group to achieve the same.

You can install software and add printer without adding user the admin or power users group.

To install software you can deploy the software via Software Installation feature in Group Policy, startup script or look for a professional software distribution solution by a third-party software provider.
Refer this link for more details:http://www.frickelsoft.net/blog/?p=29
Software installation GPO:http://support.microsoft.com/kb/816102

For the printer you can share the printer and add permission on the printer.The user can  map the printer in there profile.You can also deploy GPO to map the printer or you can create script to map the printers.

Expert Comment

ID: 36522973
"They are used to installing their own software, and install their own printers. Management have signed this off . . . ."

Then it all boils down to this:

Your users need an administrative account.

Modern best practise is to only login with your administrative account for administrative tasks.
For day-to-day use, use an normal user account.

Chances are that your users will not want to use 2 accounts, and your management wil not force them to do so.

My solution is simple:

Tell your management that their "OK"  to use local administrative accounts on a day-to-day basis is bad for security, your advice is not to do so, to let users use a user account. If needed, supply users with an user and an administrative account. (Be sure not to let them use email on their administrative account, or they will never use their normal account).

Better, beef-up your software and device driver management from the network. Let your users do their job (i.e. earning money for the company so they can pay you) in stead of wasting time "administrating" their "own" pc.

historically, we had windows 98, windows 2000 and XP. A lot of program's where tested bij their developpers with a local administrative account. But this is HISTORY.

In 2011, you should dump any program that needs local administrator rights on day-to-day basis. Virtually ALL security fails when users log in with local administrator rights.

In the very least, get your user all to windows 7 and KEEP UAC ON! That way, even with a local administrative account, you al least have to click "OK" when a virus tries to install itself.

Thomas Roes

Author Comment

ID: 36528460
Thanks Thomas much appreciated answer mate.
Thanks x_layer.
Thanks sandesh.
And thank you hire.

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Here's a look at newsworthy articles and community happenings during the last month.
Transferring FSMO roles is done when an admin wants to split roles between certain Domain Controllers or the Domain Controller holding the Roles has been forcefully demoted using dcpromo / forceremoval
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

571 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question