Solved

Removing local Admin rights from users

Posted on 2016-10-18
8
85 Views
Last Modified: 2016-10-22
Dear Experts,
I have been told to remove all local admin rights from the users on our network.   Even though I am the only one that installs applications on these laptops, I am hesitant to go ahead and do this because,
1. If I am absent, no one can run a script on a website that they may need.
2. If the user is off-site and has technical difficulty, I cannot use remote login ( I use LogmeinRescue ) to help because the user needs to run this plug-in as administrator.

I understand the need to block users from admin rights for security reasons, what would be the best approach for this?
Please advise.
0
Comment
Question by:yballan
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 1

Expert Comment

by:Ruud de Kwaadsteniet
ID: 41848929
Create an local install user by gpo. Change the password  every month or every 2 weeks. Give it only to one other person who can modify things for you when you are not there.
0
 
LVL 62

Expert Comment

by:gheist
ID: 41848955
Create couple of domain accounts and make that group local admin on all machines.
msiexec -i is not the worst way to install
0
 

Author Comment

by:yballan
ID: 41849110
Dear Ruud de Kwaadsteniet,
Thank you for a quick reply.  Does that mean when I need to remotely access that laptop, I will have to give the local install user password to the user so he/she can install the plug-in for LogmeInRescue?
For installing plug-in, credential window is blocked from me, so I cannot type it in.

Dear gheist,
Thank you for a quick reply.  I have the same question as above.
During the remote session by LogmeInRescue, the person must download the plug-in to connect, and at that time to run, it asks for the Admin password.  That screen is blocked and I cannot see it, so the user must type it in.  That means I give away the password to an account for installation, correct?
0
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

 
LVL 78

Expert Comment

by:arnold
ID: 41849286
If computers are members of a donain, create a computer GPO using computer configuration, Windows settings, security settings, restricted groups, here you can define the administrators (built-in) then usin the restriction part, you would add only the users/accounts that you want to be members of this group, when the system will process this GPO, it will kick out any user account, or any group not included in the GPO
Make donain admins, enterprise admis, are included. As well as a local account you created in the event you need access to the sustem, while away from the LAN......... Or when the account you gave never logged into the system.

Since you reference that this is a laptop, you would prevent the users from doing ir being able to do sone things they might require.

...
0
 
LVL 63

Accepted Solution

by:
btan earned 250 total points
ID: 41849308
Removing admin right from user is striking a balance so you cannot give local admin or have such self help tech support if user is not having privileged roles and group. There can be those self portal for password reset if lockout without contacting helpdesk, but besides that you need to decide the privileges that normal user vs those privileged users. To share
Microsoft provides two mechanisms in Group Policy to manage local group membership.


The first is a Group Policy extension called Restricted Groups.

Restricted Groups allows you to overwrite the existing local group with what you have configured in the Group Policy setting.

The other option is within Group Policy Preferences. The Local Users and Groups extension allows you to modify the local group
https://www.beyondtrust.com/blog/removing-users-from-the-local-administrators-group/
0
 
LVL 1

Assisted Solution

by:Ruud de Kwaadsteniet
Ruud de Kwaadsteniet earned 250 total points
ID: 41855285
Sorry for my late reply, it was a busy week...

Yes you'll giva away the password for the localadmin account but you have a few options;
- reset the password every x time. Just do this in ad, and it wil update by gpo on all notebooks/computers.
- edit the userrights of this localadmin so that it is for logmein only. And that users cannot abuse the account for other installations.

For external users it is never easy. You give either too many rigjts, or they have to less rights.
0
 

Author Closing Comment

by:yballan
ID: 41855441
Dear arnold, thank you for your reply.
After speaking to LogmeIn, they have suggested something like what btan and Ruud de Kwaadsteniet are suggesting, so I think I will go with that, but thank you for educating me.

Dear btan and Ruud de Kwaadsteniet, thank you for your reply.
LogmeIn is suggesting something in line with "userrights of this localadmin so that it is for logmein only", so I will try this route.
It is certainly good to know what the experts would do in situation such as this.
0
 
LVL 1

Expert Comment

by:Ruud de Kwaadsteniet
ID: 41855451
Youre welcome!

Good luck with it.
0

Featured Post

SuperAntiSpyware Licenses Discounted by 25% !

Exclusive offer to Experts Exchange Members!
Buy SuperAntiSpyware License(s) from us and save 25% on the regular purchase price.
- Includes Full SuperAntiSpyware Vendor Support Entitlements
- Your Subscription does not begin until you activate your license
- Buy for your friends

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

OfficeMate Freezes on login or does not load after login credentials are input.
When you try to share a printer , you may receive one of the following error messages. Error message when you use the Add Printer Wizard to share a printer: Windows could not share your printer. Operation could not be completed (Error 0x000006…
In this Micro Tutorial viewers will learn how to use Boot Corrector from Paragon Rescue Kit Free to identify and fix the boot problems of Windows 7/8/2012R2 etc. As an example is used Windows 2012R2 which lost its active partition flag (often happen…
This Micro Tutorial will give you a introduction in two parts how to utilize Windows Live Movie Maker to its maximum capability. This will be demonstrated using Windows Live Movie Maker on Windows 7 operating system.

732 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question