Having users to be in local administrators group

Having users to be in local administrators group is sometimes necessary, but it creates security holes for malwares and privacy.

I wonder how others handle with the dilemma for following scenarios which are  common at most work places;
You manage thousands of user computers and accounts.
Some users need to have local administrator privilege, for example, they need to install their own softwares, manage, administrate their own computers.
On the other hand, you install multiple agents which need to be protected from being removed, uninstalled by users.

How do you solve the dilemma? Do you give them two accounts, one local user privilege and the other with local administrative privilege?
Sungpill HanAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

SeanSystem EngineerCommented:
I find it hardly ever needed for someone to be a local admin. Yes they want to be. But a help desk is there to install applications for the users. Very few people get local admin access and that is based on approval.

Even our administrators don't have their day to day accounts as local admins. They do have a separate admin account but they aren't working on their PC as a domain admin or even a local admin. It's too risky and I would rather go through the approval process than remove viruses all the time.
Cliff GaliherCommented:
I would argue that you've prevented something of a false choice.  In environments where that level of control is needed, users installing their own software is almost *NEVER* desirable.  Admins should spend time building up a "catalog" of approved apps.  They can be distributed via some sort of "store" mechanism (that the agent then installs automatically), or Application virtualization (such as App-V), or even remote desktop (such as RemoteApp or Citrix Receiver.)

I find those two needs to be almost completely mutually exclusive.  There *are* environments where users need to install their own apps (particularly in dev/test scenarios) but those machines should not have access to corporate information and should be easily destroyed and rebuilt, making "tamper proof" agents unnecessary, and even undesirable as the negatively impact proper dev/test.
Carl WebsterCitrix Technology Professional - FellowCommented:
I dislike having "regular" users having local admin rights.  There are a couple of 3rd party products I have seen used to help limit the need for local admin rights.



Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Letting users have local admin and installing software should never be up to the user.  This is bad I.T practice/policy.  If you are a system administrator/director then it's your task to set departmental policies and it should start with securing the computers, network, and training the users with common best practice guidelines.  

The I.T department should set the computing guidelines and have the users follow it not the other way around.  Yes it is our job to assist the end users and to help them to be able to do their job as efficient as possible but they shouldn't have unlimited privileges to their computer and putting the workplace systems at risk.  I have never been to an organized workplace who doesn't have a strict I.T policy and computer group policies enforced in the workplace.  In fact, an organized workplace will even have guidelines for I.T consultants to operate within.

Give it some thoughts and create an I.T policy for everyone to follow.  Get your boss behind you and have him propose it to management.  Once approved by management then it becomes an official I.T policy.
JohnBusiness Consultant (Owner)Commented:
Having users to be in local administrators group is sometimes necessary

In line with others above, it is not necessary and we never do this at any of our clients.
The general case should be for users NOT to have administrative rights. There might be times where temporary access is truly needed for business reasons, and a policy should be built taking that into account. For applications that require higher rights to actually function, see some of the tools suggested by Carl to see if they do the trick.

The separate account approach can work too if you take proper precautions. For example, my employer blocks admin accounts from accessing the internet. Mixed bag given that many of the needed applications might have to be downloaded.

Sometimes the best solution is actually to have machines be isolated within particular environments. I work for a manufacturing company, and we are looking into having systems that would be designed for the manufacturing networks, but not be allowed on the corporate one (a lot of work needs to happen before we can truly achieve that, but it is at least in the cards)
The only exception to those who are road warriors where Helpdesk can not always be there to help the end user, but also depends on the user to whom such rights are granted.

As others also pointed out the scenario under which you are considering this is very important.

As well as the user's role.......... In the ..
Sungpill HanAuthor Commented:
Thank you for comments, all.
It's complicate in my situation, the main software all employees use requires local admin rights and the software company doesn't seem providing the alternative. I started bring up the issue about this and no one seems thinking it's an issue or doesn't care. I explained how petya spreads through local admin rights of domain users, still..

Carl, thank you for the tool, I got an idea from the link. If I start removing domain user from local admins group, I may start from working in GPO and we give exception through GPO by putting the user to local admins if the user needs to become local admin. We're limited with number of helpdesk staffs, they cannot support the software installation for each case.
We have SCCM, I may design the flow of software deployment only through SCCM in future.

Thank you, all.
It depends on how deep you want to get into it.
The dealing with the software, would require that you setup a test user, and then keep granting them rights until the software starts running without issues.
Have ran into similar issues where a custom software in order to print, required that the user be a power user. Identifying which issue/components the software needs to work before they fix their programming error, you would need to grant the users those specific rights.
Often, the software vendor risks nothing to tell the end user that they need admin rights (local)....
JohnBusiness Consultant (Owner)Commented:
We substantially isolate some radio programming machines, have good images for restoring computers, and have one person responsible for installing software.

We keep this to an absolute minimum and over time get rid of applications that require admin authority to run.

That keeps problems to a minimum
You wonder how to keep local admins from messing with internal components like agents? Normally, you can detect the presence of these agents using scripts or they will even have some backend they communicate with that verifies if the agents are still present.

But why would you? Let them sign a document that says "you have been assigned local administrative permissions solely for
A maintenance of software X,
B usage of software Y,
but the administration of the machine is still not your business but ours, you agree to use these privileges only for the aforementioned things.

That should be done. Apart from that, if you can't stay away from software that needs administrative access, try to isolate those systems from the rest of the net - if you can't do that, ask your lawyer how to proceed when something happens that wouldn't have happened without someone abusing his administrative privileges. The lawyer should of course review the document for admins as well.
Jeff GloverSr. Systems AdministratorCommented:
Many Software packages claim they need local Administrative privileges but not all really do. (yes, some are made so poorly that they require it). I would try this first. Install the Software package. Go to Program Files (or Program files (x86, depending on where it installs), and give users modify rights to the Applications program folder there. Also, find the Registry folder for the software (often under HKLM\Software\<software company name> or under HKLM\Software|wow6432node\<company> for a 64 bit machine using 32 bit software, and give users full control to the registry folder (only the company name one, not the whole hive.). Then see if a normal user can use the software normally.
  I have done this in the past for several packages that the manufacturer insisted needed Admin rights.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2012

From novice to tech pro — start learning today.