Solved

Removing local Admin rights from users

Posted on 2016-10-18
8
73 Views
Last Modified: 2016-10-22
Dear Experts,
I have been told to remove all local admin rights from the users on our network.   Even though I am the only one that installs applications on these laptops, I am hesitant to go ahead and do this because,
1. If I am absent, no one can run a script on a website that they may need.
2. If the user is off-site and has technical difficulty, I cannot use remote login ( I use LogmeinRescue ) to help because the user needs to run this plug-in as administrator.

I understand the need to block users from admin rights for security reasons, what would be the best approach for this?
Please advise.
0
Comment
Question by:yballan
8 Comments
 
LVL 1

Expert Comment

by:Ruud de Kwaadsteniet
ID: 41848929
Create an local install user by gpo. Change the password  every month or every 2 weeks. Give it only to one other person who can modify things for you when you are not there.
0
 
LVL 62

Expert Comment

by:gheist
ID: 41848955
Create couple of domain accounts and make that group local admin on all machines.
msiexec -i is not the worst way to install
0
 

Author Comment

by:yballan
ID: 41849110
Dear Ruud de Kwaadsteniet,
Thank you for a quick reply.  Does that mean when I need to remotely access that laptop, I will have to give the local install user password to the user so he/she can install the plug-in for LogmeInRescue?
For installing plug-in, credential window is blocked from me, so I cannot type it in.

Dear gheist,
Thank you for a quick reply.  I have the same question as above.
During the remote session by LogmeInRescue, the person must download the plug-in to connect, and at that time to run, it asks for the Admin password.  That screen is blocked and I cannot see it, so the user must type it in.  That means I give away the password to an account for installation, correct?
0
Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

 
LVL 77

Expert Comment

by:arnold
ID: 41849286
If computers are members of a donain, create a computer GPO using computer configuration, Windows settings, security settings, restricted groups, here you can define the administrators (built-in) then usin the restriction part, you would add only the users/accounts that you want to be members of this group, when the system will process this GPO, it will kick out any user account, or any group not included in the GPO
Make donain admins, enterprise admis, are included. As well as a local account you created in the event you need access to the sustem, while away from the LAN......... Or when the account you gave never logged into the system.

Since you reference that this is a laptop, you would prevent the users from doing ir being able to do sone things they might require.

...
0
 
LVL 62

Accepted Solution

by:
btan earned 250 total points
ID: 41849308
Removing admin right from user is striking a balance so you cannot give local admin or have such self help tech support if user is not having privileged roles and group. There can be those self portal for password reset if lockout without contacting helpdesk, but besides that you need to decide the privileges that normal user vs those privileged users. To share
Microsoft provides two mechanisms in Group Policy to manage local group membership.


The first is a Group Policy extension called Restricted Groups.

Restricted Groups allows you to overwrite the existing local group with what you have configured in the Group Policy setting.

The other option is within Group Policy Preferences. The Local Users and Groups extension allows you to modify the local group
https://www.beyondtrust.com/blog/removing-users-from-the-local-administrators-group/
0
 
LVL 1

Assisted Solution

by:Ruud de Kwaadsteniet
Ruud de Kwaadsteniet earned 250 total points
ID: 41855285
Sorry for my late reply, it was a busy week...

Yes you'll giva away the password for the localadmin account but you have a few options;
- reset the password every x time. Just do this in ad, and it wil update by gpo on all notebooks/computers.
- edit the userrights of this localadmin so that it is for logmein only. And that users cannot abuse the account for other installations.

For external users it is never easy. You give either too many rigjts, or they have to less rights.
0
 

Author Closing Comment

by:yballan
ID: 41855441
Dear arnold, thank you for your reply.
After speaking to LogmeIn, they have suggested something like what btan and Ruud de Kwaadsteniet are suggesting, so I think I will go with that, but thank you for educating me.

Dear btan and Ruud de Kwaadsteniet, thank you for your reply.
LogmeIn is suggesting something in line with "userrights of this localadmin so that it is for logmein only", so I will try this route.
It is certainly good to know what the experts would do in situation such as this.
0
 
LVL 1

Expert Comment

by:Ruud de Kwaadsteniet
ID: 41855451
Youre welcome!

Good luck with it.
0

Featured Post

The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
In this Micro Tutorial viewers will learn how to use Boot Corrector from Paragon Rescue Kit Free to identify and fix the boot problems of Windows 7/8/2012R2 etc. As an example is used Windows 2012R2 which lost its active partition flag (often happen…
This Micro Tutorial will give you a introduction in two parts how to utilize Windows Live Movie Maker to its maximum capability. This will be demonstrated using Windows Live Movie Maker on Windows 7 operating system.

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question