Change from Local Admins to Local Users Group

I look after a number of networks for small businesses and most if not all have their Users as local administrators (all are in a domain environment).
From a security and operational perspective my preference is to have Users not be local admins, but I am curious to if there are any best practices or guides on transitioning and any gotchas I should test first.
LVL 6
FlippAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JohnBusiness Consultant (Owner)Commented:
Having a regular (normal) user as a local admin is a sure road to problems. All of my clients have accepted this thinking and problem level is very low.
0
FlippAuthor Commented:
I suppose a two fold issue in that there is the technical side which I want to get some info on as well as test, but to sell to the business manager .... any advice?
0
JohnBusiness Consultant (Owner)Commented:
As I noted, clients have asked me and we have tested local admin users. It always results in problems (people do silly things with computers). As a result, we have backed away and at this point ALL users in ALL clients are regular users. None are admins. It is cheaper for me and my colleague to service requests regularly than to fix broken operating systems. Managers and owners find we are more economical than careless or unthinking users.
0
What were the top attacks of Q1 2018?

The Threat Lab team analyzes data from WatchGuard’s Firebox Feed, internal and partner threat intelligence, and a research honeynet, to provide insightful analysis about the top threats on the Internet. Check out our Q1 2018 report for smart, practical security advice today!

JohnBusiness Consultant (Owner)Commented:
technical side which I want to get some info on as well as test, <--- I am not sure what technical information. There are as many ways to break computers as there are users.
0
FlippAuthor Commented:
Things like configuring UAC or other components that will affect a User that goes from being an admin to a standard user. I know keeping Adobe Flash and Java up to date could be a headache if we restrict our users from these upgrades due to software requirements to always having latest version and regularity of upgrades being released.
0
JohnBusiness Consultant (Owner)Commented:
Users should never be allowed to configure UAC. It almost never needs to be turned off.

Adobe and Flash are problem children. We just schedule those updates.  People will try to download Flash (it can't be) and get malware in the process.

Windows updates are automatic on shutdown.

After a decade at this, I have heard ALL the reasons and then some. I am cheaper than a user who does not know what they are doing.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
FlippAuthor Commented:
Do you deploy/manage updates for Reader, Flash and Java Runtime? I am pretty happy with simply using GPO to deploy these but also know the application itself can update itself.
0
JohnBusiness Consultant (Owner)Commented:
Our clients are small businesses so we just update as needed. Adobe updates 2 or 3 times a year. We see clients weekly. Similarly with Flash and Java. It is easy to manage.  We have a number of laptops not on domain (mostly not in the office).

Windows updates are the most frequent and they are automatic.
0
JohnBusiness Consultant (Owner)Commented:
my preference is to have Users not be local admins,  <-- I certainly agree and I think I have given you lots of reason to proceed with your own preference. It is not perfect but it is better than the alternative.
0
FlippAuthor Commented:
Thanks John - a great summary. I do like the basic setup of managing the core software updates across platforms with Users as non-admins.
0
JohnBusiness Consultant (Owner)Commented:
@Flipp - You are most welcome and I was very happy to help. Good luck with your clients and users.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 7

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.