Solved

Security requires end users to user the domain admins user/pass to run programs on their workstations

Posted on 2014-12-02
14
147 Views
Last Modified: 2014-12-04
We have a server that was a stand alone file server. The need arose to convert it to convert it to an Active Directory Domain controller. After this was done and the existing users were joined to it there have been a few programs on a few workstations that have required the domain server user/pass to run. How do I give these end users permission to run their needed programs without elevating them?
0
Comment
Question by:jbcbussoft
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 4
  • 2
  • +1
14 Comments
 
LVL 96

Accepted Solution

by:
Experienced Member earned 500 total points
ID: 40475795
Windows does not really have a way to allow standard users to run programs that require administrative credentials.

You either have to provide administrative credentials to these users or use something like Power Broker for Windows from Beyond Trust. This will do what you need. It is like an extension to Group Policies.

http://www.beyondtrust.com/PowerBroker-Desktops-Windows-Edition.aspx?section=PowerBroker-Desktops-Windows-Edition
0
 
LVL 10

Expert Comment

by:Schuyler Dorsey
ID: 40476033
Agreed with John.

The users most likely need to be local admins on their PCs in order to run those programs. OR you can reach out to the vendor of those programs and see if they have a least priv. model for how to provide access to the programs to standard user accounts.

E.g. some vendors will give you a list of folders and reg keys that the user must have Full Control on but can remain a standard user account.. and this allows them to run the program without making them a local admin.
0
 

Author Comment

by:jbcbussoft
ID: 40476096
OK, I will look into these suggestions. Thanks for the quick input.
0
Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

 
LVL 55

Expert Comment

by:McKnife
ID: 40476147
Let's analyze before we recommend.
If your users weren't admins before they joined the domain, but they were able to run all those programs, then we can surely enable them also domain joined.
Was that the case? or were they local admins before joining the domain?
0
 

Author Comment

by:jbcbussoft
ID: 40477026
They were local admins.
0
 
LVL 55

Expert Comment

by:McKnife
ID: 40477049
I see.
Than the method of choice is indeed the tool that John links. But be aware that it will cause administrative overhead and costs. it would be better to eliminate the need for admin privileges by using compatible software.
0
 

Author Comment

by:jbcbussoft
ID: 40479227
The software is for banking purposes. After speaking with the IT department they informed me that the user will have to be an admin. So that is what I will do.
0
 

Author Closing Comment

by:jbcbussoft
ID: 40479231
John Hurst said "You either have to provide administrative credentials to these users or..."

This is what the clients Bank IT department told me to do.
0
 
LVL 96

Expert Comment

by:Experienced Member
ID: 40479242
@jbcbussoft  - Thanks for the update and I was happy to help.
0
 
LVL 55

Expert Comment

by:McKnife
ID: 40479534
You are giving all of them admin status? Very bad advice by your bank, security wise.
At least look at the software that was linked and also ask if that's all the bank's developers have to offer. It's less than poor.
0
 

Author Comment

by:jbcbussoft
ID: 40479547
The two users are the CEO and CFO these are the only two that have the software and/or the problem. They have had admin status for years on their pc's with no problems. If problems arise we will address them.
0
 
LVL 55

Expert Comment

by:McKnife
ID: 40479553
One of the most common errors is to give important people admin status just to avoid quarrels (of any kind) with them. They are the most likely ones picked for direct attacks - and being admin really improves the attackers' chance to infect them.
0
 

Author Comment

by:jbcbussoft
ID: 40479591
noted.
0
 
LVL 10

Expert Comment

by:Schuyler Dorsey
ID: 40480658
If you have to give them admin status, I would advise ensuring you are using layers of security on their boxes. Since giving them admin status is a risk, consider the controls you could put in place to minimize the risk level.

For example, you could consider the software from Beyond Trust that allows you to give admin rights to your users but still control what they do... suchas you could prevent the CFO and CEO from installing other software.

Ensure you have active and quality AV protection on their computers. Consider DLP if you do not already have it. In addition, take a look at perimeter security and ensure you have good IPS/AV/web filtering etc. All of these items combined help to reduce the overall risk of granting those two users admin access.
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Assume you have an outside contractor who comes in seasonally or once a week to do some work in your office, but you only want to give him access to the programs and files he needs and keep all other documents and programs private. Can you do this o…
A quick guide on how to use Group Policy to create a custom power plan and set it active on Windows 7.
This Micro Tutorial will go in depth within Systems and Security in Windows 7 and will go into detail regarding Action Center, Windows Firewall, System, etc. This will be demonstrated using Windows 7 operating system.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Suggested Courses

615 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question