We help IT Professionals succeed at work.

Security requires end users to user the domain admins user/pass to run programs on their workstations

174 Views
Last Modified: 2014-12-04
We have a server that was a stand alone file server. The need arose to convert it to convert it to an Active Directory Domain controller. After this was done and the existing users were joined to it there have been a few programs on a few workstations that have required the domain server user/pass to run. How do I give these end users permission to run their needed programs without elevating them?
Comment
Watch Question

Business Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION
Agreed with John.

The users most likely need to be local admins on their PCs in order to run those programs. OR you can reach out to the vendor of those programs and see if they have a least priv. model for how to provide access to the programs to standard user accounts.

E.g. some vendors will give you a list of folders and reg keys that the user must have Full Control on but can remain a standard user account.. and this allows them to run the program without making them a local admin.

Author

Commented:
OK, I will look into these suggestions. Thanks for the quick input.
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Let's analyze before we recommend.
If your users weren't admins before they joined the domain, but they were able to run all those programs, then we can surely enable them also domain joined.
Was that the case? or were they local admins before joining the domain?

Author

Commented:
They were local admins.
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
I see.
Than the method of choice is indeed the tool that John links. But be aware that it will cause administrative overhead and costs. it would be better to eliminate the need for admin privileges by using compatible software.

Author

Commented:
The software is for banking purposes. After speaking with the IT department they informed me that the user will have to be an admin. So that is what I will do.

Author

Commented:
John Hurst said "You either have to provide administrative credentials to these users or..."

This is what the clients Bank IT department told me to do.
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
@jbcbussoft  - Thanks for the update and I was happy to help.
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
You are giving all of them admin status? Very bad advice by your bank, security wise.
At least look at the software that was linked and also ask if that's all the bank's developers have to offer. It's less than poor.

Author

Commented:
The two users are the CEO and CFO these are the only two that have the software and/or the problem. They have had admin status for years on their pc's with no problems. If problems arise we will address them.
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
One of the most common errors is to give important people admin status just to avoid quarrels (of any kind) with them. They are the most likely ones picked for direct attacks - and being admin really improves the attackers' chance to infect them.

Author

Commented:
noted.
If you have to give them admin status, I would advise ensuring you are using layers of security on their boxes. Since giving them admin status is a risk, consider the controls you could put in place to minimize the risk level.

For example, you could consider the software from Beyond Trust that allows you to give admin rights to your users but still control what they do... suchas you could prevent the CFO and CEO from installing other software.

Ensure you have active and quality AV protection on their computers. Consider DLP if you do not already have it. In addition, take a look at perimeter security and ensure you have good IPS/AV/web filtering etc. All of these items combined help to reduce the overall risk of granting those two users admin access.

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.