Change from Local Admins to Local Users Group
I look after a number of networks for small businesses and most if not all have their Users as local administrators (all are in a domain environment).
From a security and operational perspective my preference is to have Users not be local admins, but I am curious to if there are any best practices or guides on transitioning and any gotchas I should test first.
From a security and operational perspective my preference is to have Users not be local admins, but I am curious to if there are any best practices or guides on transitioning and any gotchas I should test first.
John
Having a regular (normal) user as a local admin is a sure road to problems. All of my clients have accepted this thinking and problem level is very low.
ASKER
I suppose a two fold issue in that there is the technical side which I want to get some info on as well as test, but to sell to the business manager .... any advice?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
technical side which I want to get some info on as well as test, <--- I am not sure what technical information. There are as many ways to break computers as there are users.
ASKER
Things like configuring UAC or other components that will affect a User that goes from being an admin to a standard user. I know keeping Adobe Flash and Java up to date could be a headache if we restrict our users from these upgrades due to software requirements to always having latest version and regularity of upgrades being released.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Do you deploy/manage updates for Reader, Flash and Java Runtime? I am pretty happy with simply using GPO to deploy these but also know the application itself can update itself.
Our clients are small businesses so we just update as needed. Adobe updates 2 or 3 times a year. We see clients weekly. Similarly with Flash and Java. It is easy to manage. We have a number of laptops not on domain (mostly not in the office).
Windows updates are the most frequent and they are automatic.
Windows updates are the most frequent and they are automatic.
my preference is to have Users not be local admins, <-- I certainly agree and I think I have given you lots of reason to proceed with your own preference. It is not perfect but it is better than the alternative.
ASKER
Thanks John - a great summary. I do like the basic setup of managing the core software updates across platforms with Users as non-admins.
@Flipp - You are most welcome and I was very happy to help. Good luck with your clients and users.