Let users to install software without administrator rights

*** Hopeleonie ***
*** Hopeleonie *** used Ask the Experts™
on
Hi

One of our customers need to give some few users the availability to install software under Windows 10 (Build 1703) as they are developers. The solution that most of my senior engineers are recommending is to create two users. One normal user and the other local administrator that have no other permission in the domain.

Two other engineers are telling to do it KIS (keep it simple). They both recommend to create one user, give it local administrator permissions and enable UAC. After they told me also to educate the users to be careful when the authentication prompt appears.

What would you recommend me?

Many thanks in advance.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Jackie Man IT Manager
Top Expert 2010
Commented:
Unless your users are domain admin or IT experts, it is a bit risky to do so.
Patrick BogersDatacenter platform engineer Lindows
Commented:
Developers needs local admin rights, otherwise they can't do anything in e.g. iis web servers.
Also they need to install specific software patches, plugins and other.

No need to turn UAC on, local admin can bypass it whenever they want.

Cheers
Distinguished Expert 2018
Commented:
Although UAC can be seen as a barrier, Microsoft themselves say it is no security boundary. I understand the need for KIS, though, and that's why I recommend to have a look at my article which has a promising solution for you, I hope: https://www.experts-exchange.com/articles/24599/Free-yourself-of-your-administrative-account.html
There, two accounts are used and that is so much better.
PMI ACP® Project Management

Prepare for the PMI Agile Certified Practitioner (PMI-ACP)® exam, which formally recognizes your knowledge of agile principles and your skill with agile techniques.

Distinguished Expert 2018
Commented:
Two accounts, always. I treat developers (and I've worked in BBIIGG development houses) just like domain admins. Domain admins shouldn't do day to day stuff (check email, etc) with their domain admin account, event with UAC.

In short, whether domain or local, admin accounts should be used "as needed" instead of being logged in at all times. That *is* following KISS, comparatively. Asking users (even skilled users) not to compromise their admins account is more complicated. So yes, create two accounts per user, and the local admin account is used sparingly, only when necessary.
Patrick BogersDatacenter platform engineer Lindows
Commented:
Wow! I am sysadmin at a programming house and had given up on putting our developers on a leash. McKnife post opens my eyes, I didn't know about this blank password accounts, very neat!!

I humbly stand corrected, thanks guys.
Distinguished Expert 2018
Commented:
Patrick, be aware that of course this also has a downside: that blank-pw local account is no domain account so accessing networked resources with it will always need extra steps done with your normal account. But well, you can adapt to anything. I am using it like this for years.
*** Hopeleonie ***IT Manager

Author

Commented:
@all
Thanks to all again.
Have a good start in the new week.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial