Solved

Removing local Admin rights from users

Posted on 2016-10-18
8
60 Views
Last Modified: 2016-10-22
Dear Experts,
I have been told to remove all local admin rights from the users on our network.   Even though I am the only one that installs applications on these laptops, I am hesitant to go ahead and do this because,
1. If I am absent, no one can run a script on a website that they may need.
2. If the user is off-site and has technical difficulty, I cannot use remote login ( I use LogmeinRescue ) to help because the user needs to run this plug-in as administrator.

I understand the need to block users from admin rights for security reasons, what would be the best approach for this?
Please advise.
0
Comment
Question by:yballan
8 Comments
 
LVL 1

Expert Comment

by:Ruud de Kwaadsteniet
ID: 41848929
Create an local install user by gpo. Change the password  every month or every 2 weeks. Give it only to one other person who can modify things for you when you are not there.
0
 
LVL 61

Expert Comment

by:gheist
ID: 41848955
Create couple of domain accounts and make that group local admin on all machines.
msiexec -i is not the worst way to install
0
 

Author Comment

by:yballan
ID: 41849110
Dear Ruud de Kwaadsteniet,
Thank you for a quick reply.  Does that mean when I need to remotely access that laptop, I will have to give the local install user password to the user so he/she can install the plug-in for LogmeInRescue?
For installing plug-in, credential window is blocked from me, so I cannot type it in.

Dear gheist,
Thank you for a quick reply.  I have the same question as above.
During the remote session by LogmeInRescue, the person must download the plug-in to connect, and at that time to run, it asks for the Admin password.  That screen is blocked and I cannot see it, so the user must type it in.  That means I give away the password to an account for installation, correct?
0
 
LVL 76

Expert Comment

by:arnold
ID: 41849286
If computers are members of a donain, create a computer GPO using computer configuration, Windows settings, security settings, restricted groups, here you can define the administrators (built-in) then usin the restriction part, you would add only the users/accounts that you want to be members of this group, when the system will process this GPO, it will kick out any user account, or any group not included in the GPO
Make donain admins, enterprise admis, are included. As well as a local account you created in the event you need access to the sustem, while away from the LAN......... Or when the account you gave never logged into the system.

Since you reference that this is a laptop, you would prevent the users from doing ir being able to do sone things they might require.

...
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 61

Accepted Solution

by:
btan earned 250 total points
ID: 41849308
Removing admin right from user is striking a balance so you cannot give local admin or have such self help tech support if user is not having privileged roles and group. There can be those self portal for password reset if lockout without contacting helpdesk, but besides that you need to decide the privileges that normal user vs those privileged users. To share
Microsoft provides two mechanisms in Group Policy to manage local group membership.


The first is a Group Policy extension called Restricted Groups.

Restricted Groups allows you to overwrite the existing local group with what you have configured in the Group Policy setting.

The other option is within Group Policy Preferences. The Local Users and Groups extension allows you to modify the local group
https://www.beyondtrust.com/blog/removing-users-from-the-local-administrators-group/
0
 
LVL 1

Assisted Solution

by:Ruud de Kwaadsteniet
Ruud de Kwaadsteniet earned 250 total points
ID: 41855285
Sorry for my late reply, it was a busy week...

Yes you'll giva away the password for the localadmin account but you have a few options;
- reset the password every x time. Just do this in ad, and it wil update by gpo on all notebooks/computers.
- edit the userrights of this localadmin so that it is for logmein only. And that users cannot abuse the account for other installations.

For external users it is never easy. You give either too many rigjts, or they have to less rights.
0
 

Author Closing Comment

by:yballan
ID: 41855441
Dear arnold, thank you for your reply.
After speaking to LogmeIn, they have suggested something like what btan and Ruud de Kwaadsteniet are suggesting, so I think I will go with that, but thank you for educating me.

Dear btan and Ruud de Kwaadsteniet, thank you for your reply.
LogmeIn is suggesting something in line with "userrights of this localadmin so that it is for logmein only", so I will try this route.
It is certainly good to know what the experts would do in situation such as this.
0
 
LVL 1

Expert Comment

by:Ruud de Kwaadsteniet
ID: 41855451
Youre welcome!

Good luck with it.
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Suggested Solutions

This is a guide to the following problem (not exclusive but here) on Windows: Users need our support and we supporters often use global administrative accounts to do this. Using these accounts safely is a real challenge. Any admin who takes se…
Article by: btan
The intent is not to repeat what many has know about Ransomware but more to join its dots of what is it, who are the victims, why it exists, when and how we respond on infection. Lastly, sum up in a glance to share such information with more to help…
This Micro Tutorial will give you a introduction in two parts how to utilize Windows Live Movie Maker to its maximum editing capability. This will be demonstrated using Windows Live Movie Maker on Windows 7 operating system.
The Task Scheduler is a powerful tool that is built into Windows. It allows you to schedule tasks (actions) on a recurring basis, such as hourly, daily, weekly, monthly, at log on, at startup, on idle, etc. This video Micro Tutorial is a brief intro…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

24 Experts available now in Live!

Get 1:1 Help Now