To revoke or allow local admin rights?

This may open up a massive debate (again) but as part of our ISO27001 compliance, we revoked all local admin rights and deployed MS's LAPS solution which manages the passwords on a local admin account. This local admin account is used for any local admin duties.  We have around twenty hardware/firmware and software engineers and our CTO is telling me that revoking local admin rights has blocked work, his argument is that some tools now do not work as expected and the process of entering credentials (and an unmemorable password) is causing frustration.
I can tweak our current solution (LAPS) to alleviate the frustration somewhat and may even be able to resolve the blocked tools/software, however I wonder if I need to look at this afresh.

What we are trying to achieve here is to protect our systems from malware, adware, viruses, bloatware etc. and therefore protect the integrity of our data.

We do have AV in place (ESET) and this does a good job of telling me about known viruses and PUA (potentially unwanted applications) - but it does not block malware, adware and bloatware.  My suggestion was to invest in something like Malwarebytes Premium and additionally block known download sites that contain the above threats - this would be difficult as some of these are well known first ports of call for downloads (Cnet, brothersoft, soft32...).

I would like to know what others do in this situation. Whether there are solutions I could deploy easily (LAPS was not easy to configure) or if there is something I am missing.

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.


The concept "users use, admins administer", as easy as it sounds, is hard to achieve. If you were setting up a new network, you'd be able to adjust to that pretty easy and buy only software that is compatible to non-admin-usage. But imposing this on a grown network is always hard.

The best anti malware protection is applocker. Administering applocker again is quite exhausting, but worth it. Look at applocker, it might help you sleep better although some people have administrative rights.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
I must admit I have acquired a number of networks whete Users are Local Admins but have not done sufficient testing to know how easy it might be to make the changes production.
Very interested to hear EE advice.
fuzzyfreakAuthor Commented:
I will look at applocker and see if this is acceptable - thanks.
fuzzyfreakAuthor Commented:
Not had time to look at applocker but it potentially looks like an idea. Also discovered UAC via Group Policy which may also be a good combination.
Remember that local admins can shut down GPO processing altogether (if they wanted to). So even applocker cannot stop admins that "really want it".
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows OS

From novice to tech pro — start learning today.