Go Premium for a chance to win a PS4. Enter to Win


Power users versus local administrators group

Posted on 2011-09-11
Medium Priority
Last Modified: 2012-08-13
Hi guys,
Hope you are all well and can help.
Our company has historically given all it's users local admin access to their machines.
As an IT department, we have struggled to put the case to the powers that be, that is is not best practice in any sense.
The reason they have decided on this is to allow users to install applications.

My questions to you guys are these....

1) Would we be better off removing standard users from being local admins, and instead granting them membership of the Power Users group?

2) In what ways would we be better off?

3) What limitations would there be if we did this in terms of what a Power Users group cannot do and what the local admins group CAN do?

By knowing the real difference between these two groups capabilities would then give us a good idea on whether it is a viable thing to do or not.

Any help greatly appreciated.
Question by:Simon336697
LVL 11

Assisted Solution

X_layer earned 500 total points
ID: 36519889
Here describes the differences.

Accepted Solution

Thomas_Roes earned 500 total points
ID: 36519911
Your not mentioning if you are talking about XP of 7 clients.

1) Defenitly
2) Your users can change (remove / change password) of a local administrator account, keeping it save for software / your own (IT department) pusposes
3) Very different story for XP and 7:
[from microsofts site, XP:
Power Users

Members of the Power Users group can create user accounts, but can modify and delete only those accounts they create. They can create local groups and remove users from local groups they have created. They can also remove users from the Power Users, Users, and Guests groups.

They cannot modify the Administrators or Backup Operators groups, nor can they take ownership of files, back up or restore directories, load or unload device drivers, or manage the security and auditing logs.
[same site: about 7:
By default, members of this group have no more user rights or permissions than a standard user account. The Power Users group in previous versions of Windows was designed to give users specific administrator rights and permissions to perform common system tasks. In this version of Windows, standard user accounts inherently have the ability to perform most common configuration tasks, such as changing time zones. For legacy applications that require the same Power User rights and permissions that were present in previous versions of Windows, administrators can apply a security template that enables the Power Users group to assume the same rights and permissions that were present in previous versions of Windows.
[/end site quote]



I don't think your users should be doing anything that requires local administrative rights. In an AD environment, you are of cause is a position to grant the extra rights you need to the user group of power user group.

Thomas Roes


Author Comment

ID: 36519940
Thanks so much guys for both your kind help.
Thomas, our users are XP and Windows 7.
They are used to installing their own software, and install their own printers.
Management have signed this off, so we need to keep providing this ability to them of installing software and printers. Would the power users give them this?
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Assisted Solution

hirenvmajithiya earned 500 total points
ID: 36520759
What is Power User(a short description):

Power Users have less system access than Administrators but more than Users. By default, members of this group have Read/Write permissions to other parts of the system in addition to their own profile.
The default security settings for Power Users are backward compatible with the default security settings for Users in the Windows NT 4.0 operating system. This allows Power Users to run legacy applications that are not certified for Windows XP Professional and therefore cannot be run under the more secure Users context.
Power Users can perform many system-wide operations, such as changing system time and display settings, and creating user accounts and shares. Power Users also have Modify access to:
Program files
Although Power Users have Modify access to the %windir% and %windir%\System32 directories, they have Read-only access to the files that are installed in these directories during Windows XP Professional text-mode setup. This allows noncertified applications to write new files into the system directories but prevents Power Users from modifying the Windows XP Professional system files.
While Power Users have the permissions necessary to install most applications, not all application installations will succeed. For example, many applications check for explicit membership in the Administrators group before installing. Other applications attempt to replace operating system files, which Power Users cannot do. Finally, because Power Users cannot install services, they cannot install applications that have a service component.
To install local printer drivers, you need to be a member of the Power Users or Administrators group and have the Load and unload device drivers privilege assigned to you.
To add the Load and unload device drivers privilege for Power Users
In Control Panel, click Performance and Maintenance, click Administrative Tools, and then double-click Local Security Policy.
In the console tree, double-click Local Policies, and then double-click User Rights Assignment.
In the right pane, right-click the Load and unload device drivers policy, and then click Properties.
Click Add, enter the Power Users group, and then click OK.
Like Users, Power Users are not allowed to access data stored in other users’ profiles.

LVL 24

Assisted Solution

Sandeshdubey earned 500 total points
ID: 36520777
Just adding user to power users group will not allow user to install software/pinter,you need to add user to Local admin group to achieve the same.

You can install software and add printer without adding user the admin or power users group.

To install software you can deploy the software via Software Installation feature in Group Policy, startup script or look for a professional software distribution solution by a third-party software provider.
Refer this link for more details:http://www.frickelsoft.net/blog/?p=29
Software installation GPO:http://support.microsoft.com/kb/816102

For the printer you can share the printer and add permission on the printer.The user can  map the printer in there profile.You can also deploy GPO to map the printer or you can create script to map the printers.

Expert Comment

ID: 36522973
"They are used to installing their own software, and install their own printers. Management have signed this off . . . ."

Then it all boils down to this:

Your users need an administrative account.

Modern best practise is to only login with your administrative account for administrative tasks.
For day-to-day use, use an normal user account.

Chances are that your users will not want to use 2 accounts, and your management wil not force them to do so.

My solution is simple:

Tell your management that their "OK"  to use local administrative accounts on a day-to-day basis is bad for security, your advice is not to do so, to let users use a user account. If needed, supply users with an user and an administrative account. (Be sure not to let them use email on their administrative account, or they will never use their normal account).

Better, beef-up your software and device driver management from the network. Let your users do their job (i.e. earning money for the company so they can pay you) in stead of wasting time "administrating" their "own" pc.

historically, we had windows 98, windows 2000 and XP. A lot of program's where tested bij their developpers with a local administrative account. But this is HISTORY.

In 2011, you should dump any program that needs local administrator rights on day-to-day basis. Virtually ALL security fails when users log in with local administrator rights.

In the very least, get your user all to windows 7 and KEEP UAC ON! That way, even with a local administrative account, you al least have to click "OK" when a virus tries to install itself.

Thomas Roes

Author Comment

ID: 36528460
Thanks Thomas much appreciated answer mate.
Thanks x_layer.
Thanks sandesh.
And thank you hire.

Featured Post

Ask an Anonymous Question!

Don't feel intimidated by what you don't know. Ask your question anonymously. It's easy! Learn more and upgrade.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
Wouldn't it be nice if objects in Active Directory automatically moved into the correct Organizational Units? This is what AutoAD aims to do and as a plus, it automatically creates Sites, Subnets, and Organizational Units.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

916 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question