[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 123
  • Last Modified:

Removing local Admin rights from users

Dear Experts,
I have been told to remove all local admin rights from the users on our network.   Even though I am the only one that installs applications on these laptops, I am hesitant to go ahead and do this because,
1. If I am absent, no one can run a script on a website that they may need.
2. If the user is off-site and has technical difficulty, I cannot use remote login ( I use LogmeinRescue ) to help because the user needs to run this plug-in as administrator.

I understand the need to block users from admin rights for security reasons, what would be the best approach for this?
Please advise.
0
yballan
Asked:
yballan
2 Solutions
 
Ruud de KwaadstenietCommented:
Create an local install user by gpo. Change the password  every month or every 2 weeks. Give it only to one other person who can modify things for you when you are not there.
0
 
gheistCommented:
Create couple of domain accounts and make that group local admin on all machines.
msiexec -i is not the worst way to install
0
 
yballanAuthor Commented:
Dear Ruud de Kwaadsteniet,
Thank you for a quick reply.  Does that mean when I need to remotely access that laptop, I will have to give the local install user password to the user so he/she can install the plug-in for LogmeInRescue?
For installing plug-in, credential window is blocked from me, so I cannot type it in.

Dear gheist,
Thank you for a quick reply.  I have the same question as above.
During the remote session by LogmeInRescue, the person must download the plug-in to connect, and at that time to run, it asks for the Admin password.  That screen is blocked and I cannot see it, so the user must type it in.  That means I give away the password to an account for installation, correct?
0
2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

 
arnoldCommented:
If computers are members of a donain, create a computer GPO using computer configuration, Windows settings, security settings, restricted groups, here you can define the administrators (built-in) then usin the restriction part, you would add only the users/accounts that you want to be members of this group, when the system will process this GPO, it will kick out any user account, or any group not included in the GPO
Make donain admins, enterprise admis, are included. As well as a local account you created in the event you need access to the sustem, while away from the LAN......... Or when the account you gave never logged into the system.

Since you reference that this is a laptop, you would prevent the users from doing ir being able to do sone things they might require.

...
0
 
btanExec ConsultantCommented:
Removing admin right from user is striking a balance so you cannot give local admin or have such self help tech support if user is not having privileged roles and group. There can be those self portal for password reset if lockout without contacting helpdesk, but besides that you need to decide the privileges that normal user vs those privileged users. To share
Microsoft provides two mechanisms in Group Policy to manage local group membership.


The first is a Group Policy extension called Restricted Groups.

Restricted Groups allows you to overwrite the existing local group with what you have configured in the Group Policy setting.

The other option is within Group Policy Preferences. The Local Users and Groups extension allows you to modify the local group
https://www.beyondtrust.com/blog/removing-users-from-the-local-administrators-group/
0
 
Ruud de KwaadstenietCommented:
Sorry for my late reply, it was a busy week...

Yes you'll giva away the password for the localadmin account but you have a few options;
- reset the password every x time. Just do this in ad, and it wil update by gpo on all notebooks/computers.
- edit the userrights of this localadmin so that it is for logmein only. And that users cannot abuse the account for other installations.

For external users it is never easy. You give either too many rigjts, or they have to less rights.
0
 
yballanAuthor Commented:
Dear arnold, thank you for your reply.
After speaking to LogmeIn, they have suggested something like what btan and Ruud de Kwaadsteniet are suggesting, so I think I will go with that, but thank you for educating me.

Dear btan and Ruud de Kwaadsteniet, thank you for your reply.
LogmeIn is suggesting something in line with "userrights of this localadmin so that it is for logmein only", so I will try this route.
It is certainly good to know what the experts would do in situation such as this.
0
 
Ruud de KwaadstenietCommented:
Youre welcome!

Good luck with it.
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now