Sungpill Han
asked on
Having users to be in local administrators group
Having users to be in local administrators group is sometimes necessary, but it creates security holes for malwares and privacy.
I wonder how others handle with the dilemma for following scenarios which are common at most work places;
You manage thousands of user computers and accounts.
Some users need to have local administrator privilege, for example, they need to install their own softwares, manage, administrate their own computers.
On the other hand, you install multiple agents which need to be protected from being removed, uninstalled by users.
How do you solve the dilemma? Do you give them two accounts, one local user privilege and the other with local administrative privilege?
I wonder how others handle with the dilemma for following scenarios which are common at most work places;
You manage thousands of user computers and accounts.
Some users need to have local administrator privilege, for example, they need to install their own softwares, manage, administrate their own computers.
On the other hand, you install multiple agents which need to be protected from being removed, uninstalled by users.
How do you solve the dilemma? Do you give them two accounts, one local user privilege and the other with local administrative privilege?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you for comments, all.
It's complicate in my situation, the main software all employees use requires local admin rights and the software company doesn't seem providing the alternative. I started bring up the issue about this and no one seems thinking it's an issue or doesn't care. I explained how petya spreads through local admin rights of domain users, still..
Carl, thank you for the tool, I got an idea from the link. If I start removing domain user from local admins group, I may start from working in GPO and we give exception through GPO by putting the user to local admins if the user needs to become local admin. We're limited with number of helpdesk staffs, they cannot support the software installation for each case.
We have SCCM, I may design the flow of software deployment only through SCCM in future.
Thank you, all.
It's complicate in my situation, the main software all employees use requires local admin rights and the software company doesn't seem providing the alternative. I started bring up the issue about this and no one seems thinking it's an issue or doesn't care. I explained how petya spreads through local admin rights of domain users, still..
Carl, thank you for the tool, I got an idea from the link. If I start removing domain user from local admins group, I may start from working in GPO and we give exception through GPO by putting the user to local admins if the user needs to become local admin. We're limited with number of helpdesk staffs, they cannot support the software installation for each case.
We have SCCM, I may design the flow of software deployment only through SCCM in future.
Thank you, all.
It depends on how deep you want to get into it.
The dealing with the software, would require that you setup a test user, and then keep granting them rights until the software starts running without issues.
Have ran into similar issues where a custom software in order to print, required that the user be a power user. Identifying which issue/components the software needs to work before they fix their programming error, you would need to grant the users those specific rights.
Often, the software vendor risks nothing to tell the end user that they need admin rights (local)....
The dealing with the software, would require that you setup a test user, and then keep granting them rights until the software starts running without issues.
Have ran into similar issues where a custom software in order to print, required that the user be a power user. Identifying which issue/components the software needs to work before they fix their programming error, you would need to grant the users those specific rights.
Often, the software vendor risks nothing to tell the end user that they need admin rights (local)....
We substantially isolate some radio programming machines, have good images for restoring computers, and have one person responsible for installing software.
We keep this to an absolute minimum and over time get rid of applications that require admin authority to run.
That keeps problems to a minimum
We keep this to an absolute minimum and over time get rid of applications that require admin authority to run.
That keeps problems to a minimum
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I find those two needs to be almost completely mutually exclusive. There *are* environments where users need to install their own apps (particularly in dev/test scenarios) but those machines should not have access to corporate information and should be easily destroyed and rebuilt, making "tamper proof" agents unnecessary, and even undesirable as the negatively impact proper dev/test.