Solved

Removing local Admin rights from users

Posted on 2016-10-18
8
91 Views
Last Modified: 2016-10-22
Dear Experts,
I have been told to remove all local admin rights from the users on our network.   Even though I am the only one that installs applications on these laptops, I am hesitant to go ahead and do this because,
1. If I am absent, no one can run a script on a website that they may need.
2. If the user is off-site and has technical difficulty, I cannot use remote login ( I use LogmeinRescue ) to help because the user needs to run this plug-in as administrator.

I understand the need to block users from admin rights for security reasons, what would be the best approach for this?
Please advise.
0
Comment
Question by:yballan
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 1

Expert Comment

by:Ruud de Kwaadsteniet
ID: 41848929
Create an local install user by gpo. Change the password  every month or every 2 weeks. Give it only to one other person who can modify things for you when you are not there.
0
 
LVL 62

Expert Comment

by:gheist
ID: 41848955
Create couple of domain accounts and make that group local admin on all machines.
msiexec -i is not the worst way to install
0
 

Author Comment

by:yballan
ID: 41849110
Dear Ruud de Kwaadsteniet,
Thank you for a quick reply.  Does that mean when I need to remotely access that laptop, I will have to give the local install user password to the user so he/she can install the plug-in for LogmeInRescue?
For installing plug-in, credential window is blocked from me, so I cannot type it in.

Dear gheist,
Thank you for a quick reply.  I have the same question as above.
During the remote session by LogmeInRescue, the person must download the plug-in to connect, and at that time to run, it asks for the Admin password.  That screen is blocked and I cannot see it, so the user must type it in.  That means I give away the password to an account for installation, correct?
0
Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

 
LVL 78

Expert Comment

by:arnold
ID: 41849286
If computers are members of a donain, create a computer GPO using computer configuration, Windows settings, security settings, restricted groups, here you can define the administrators (built-in) then usin the restriction part, you would add only the users/accounts that you want to be members of this group, when the system will process this GPO, it will kick out any user account, or any group not included in the GPO
Make donain admins, enterprise admis, are included. As well as a local account you created in the event you need access to the sustem, while away from the LAN......... Or when the account you gave never logged into the system.

Since you reference that this is a laptop, you would prevent the users from doing ir being able to do sone things they might require.

...
0
 
LVL 64

Accepted Solution

by:
btan earned 250 total points
ID: 41849308
Removing admin right from user is striking a balance so you cannot give local admin or have such self help tech support if user is not having privileged roles and group. There can be those self portal for password reset if lockout without contacting helpdesk, but besides that you need to decide the privileges that normal user vs those privileged users. To share
Microsoft provides two mechanisms in Group Policy to manage local group membership.


The first is a Group Policy extension called Restricted Groups.

Restricted Groups allows you to overwrite the existing local group with what you have configured in the Group Policy setting.

The other option is within Group Policy Preferences. The Local Users and Groups extension allows you to modify the local group
https://www.beyondtrust.com/blog/removing-users-from-the-local-administrators-group/
0
 
LVL 1

Assisted Solution

by:Ruud de Kwaadsteniet
Ruud de Kwaadsteniet earned 250 total points
ID: 41855285
Sorry for my late reply, it was a busy week...

Yes you'll giva away the password for the localadmin account but you have a few options;
- reset the password every x time. Just do this in ad, and it wil update by gpo on all notebooks/computers.
- edit the userrights of this localadmin so that it is for logmein only. And that users cannot abuse the account for other installations.

For external users it is never easy. You give either too many rigjts, or they have to less rights.
0
 

Author Closing Comment

by:yballan
ID: 41855441
Dear arnold, thank you for your reply.
After speaking to LogmeIn, they have suggested something like what btan and Ruud de Kwaadsteniet are suggesting, so I think I will go with that, but thank you for educating me.

Dear btan and Ruud de Kwaadsteniet, thank you for your reply.
LogmeIn is suggesting something in line with "userrights of this localadmin so that it is for logmein only", so I will try this route.
It is certainly good to know what the experts would do in situation such as this.
0
 
LVL 1

Expert Comment

by:Ruud de Kwaadsteniet
ID: 41855451
Youre welcome!

Good luck with it.
0

Featured Post

Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
You may have a outside contractor who comes in once a week or seasonal to do some work in your office but you only want to give him access to the programs and files he needs and keep privet all other documents and programs, can you do this on a loca…
This Micro Tutorial will teach you how to the overview of Microsoft Security Essentials. This is a free anti-virus software that guards your PC against viruses, spyware, worms, and other malicious software. This will be demonstrated using Windows…
This Micro Tutorial will give you a basic overview of Windows Live Photo Gallery and show you various editing filters and touches to photos you can apply. This will be demonstrated using Windows Live Photo Gallery on Windows 7 operating system.

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question