To Give Local Admin Priveleges or Not

powlaz · 10-22-2008, 10:59 AM

Windows 2003 Server w/ AD, no Group Policy +
Windows XP SP2 or SP3 clients

I think this question winds up being a "Chevy vs. Ford" thing, meaning that everyone who responds will feel strongly one way or the other. The question is this: Should I continue to give domain users local admin rights?

When I set up a new user at a PC I add their domain account to the local admin user group. We do this because we've been told that a couple of our applications require the user to have local admin rights.

I recently found a way around this and am now wondering if I should remove everyone from the local Administrators group and put them in the local Users group. This solves one big problem for me and that is that every time a user logs in to a different computer (we have several people who bounce around) the default local permissions that they are given is "Limited" (they are placed in the "Users" group). Which means I have to configure their login on that computer so that they are added to the local Administrators group. Of course this always happens at the worst time . . .

I figure my options are to fix it so everyone is kept in the local "Users" group (and then apply my workarounds) or to add "Domain Users" to the local "Administrators" group. I'm interested in the Pros & Cons of both. I've read that adding the "Domain Users" group to the local Administrators group is bad news but I'm not sure how it's different than adding the domain user's account to the local Administrator group which is what we do now. I've also read that adding domain user's accounts to the local "Users" group can create a lot of problems too.

Nobody has been very specific about the PROS and CONS of both methods so I need your help.

Thanks all,

MJ

**XtabbedoutX** · 10-22-2008, 01:16 PM

Unless you are supporting users that need to install and test software like in a support type role, I would <b>NOT</b> grant local admin rights to my users. The companies that put out software that say the user of the software HAS to be a local admin are usually to lazy to give you the registry and folder permissions to allow the software to run. That is just my opinion, but as an Admin I would never give local admin rights to a user, that is like giving a kid a gun.

Then if you look at it from a security side of it. Allowing all users to pocess local admin rights opens your network up to several vulnerabilities and risks.

powlaz · 10-22-2008, 01:56 PM

XtabbedoutX, I appreciate the feedback. I hope for much more insight too. In the meantime can you elaborate on the risks, vunerabilities, etc.

Thanks,

MJ

**XtabbedoutX** · 10-22-2008, 03:23 PM

Vulnerabilities:

If the user installs a program that he/she saw on the net e.g. a new screen saver, toolbar, game, etc.that has malicious or poorly written code this could potentially cause a work related program to quit working. I have seen this happen with something as simple as a weather app that crashed a users desktop.

If a user has local admin rights and they think their PC is not running fast enough for them they could download one of those readily available Registry Cleaners. These in general are just bad news and for the most part are looked down upon from an IT prospective.

Security:

There is so much that could be listed under this category.

If a user installs a program that manages to bypass or is missed by AV/spyware software it has access to ALL network resources the user has. This could result in loss of company data or stolen data. Depending on what kind of data is on the network and is accessible to your users could potentially be accessed bo someone that has ill intentions.

Those are just a few possibilities. I am sure some of the other Admins around here can attest to the other risks involved.

powlaz · 10-23-2008, 05:52 AM

Thank you again for the information. I'm hoping that a few more people post too so I have a small collection of PROS and CONS to work with. In the meantime I'd like to complicate my question by asking if the majority of the CONS are based on a user installing a program? If this is the case then the GPOs we will soon develop could include preventing users from installing programs, right? What does making everyone a local Admin accomplish that making them local Users complicate?

Thanks for the answers. I appreciate the help.

MJ

10-22-2008, 10:59 AM	#1 (permalink)
powlaz Registered User Join Date: Feb 2007 Posts: 33 OS: XP	To Give Local Admin Priveleges or Not Windows 2003 Server w/ AD, no Group Policy + Windows XP SP2 or SP3 clients I think this question winds up being a "Chevy vs. Ford" thing, meaning that everyone who responds will feel strongly one way or the other. The question is this: Should I continue to give domain users local admin rights? When I set up a new user at a PC I add their domain account to the local admin user group. We do this because we've been told that a couple of our applications require the user to have local admin rights. I recently found a way around this and am now wondering if I should remove everyone from the local Administrators group and put them in the local Users group. This solves one big problem for me and that is that every time a user logs in to a different computer (we have several people who bounce around) the default local permissions that they are given is "Limited" (they are placed in the "Users" group). Which means I have to configure their login on that computer so that they are added to the local Administrators group. Of course this always happens at the worst time . . . I figure my options are to fix it so everyone is kept in the local "Users" group (and then apply my workarounds) or to add "Domain Users" to the local "Administrators" group. I'm interested in the Pros & Cons of both. I've read that adding the "Domain Users" group to the local Administrators group is bad news but I'm not sure how it's different than adding the domain user's account to the local Administrator group which is what we do now. I've also read that adding domain user's accounts to the local "Users" group can create a lot of problems too. Nobody has been very specific about the PROS and CONS of both methods so I need your help. Thanks all, MJ

10-22-2008, 01:16 PM	#2 (permalink)
XtabbedoutX TSF Enthusiast Join Date: Sep 2007 Location: Oklahoma City Posts: 1,189 OS: Server 2K3 R2 SP 2, Server 2K SP4, XP PRO SP 3, Mac OS X 10.5, iPhone My System	Re: To Give Local Admin Priveleges or Not Unless you are supporting users that need to install and test software like in a support type role, I would <b>NOT</b> grant local admin rights to my users. The companies that put out software that say the user of the software HAS to be a local admin are usually to lazy to give you the registry and folder permissions to allow the software to run. That is just my opinion, but as an Admin I would never give local admin rights to a user, that is like giving a kid a gun. Then if you look at it from a security side of it. Allowing all users to pocess local admin rights opens your network up to several vulnerabilities and risks.

10-22-2008, 01:56 PM	#3 (permalink)
powlaz Registered User Join Date: Feb 2007 Posts: 33 OS: XP	Re: To Give Local Admin Priveleges or Not XtabbedoutX, I appreciate the feedback. I hope for much more insight too. In the meantime can you elaborate on the risks, vunerabilities, etc. Thanks, MJ

10-22-2008, 03:23 PM	#4 (permalink)
XtabbedoutX TSF Enthusiast Join Date: Sep 2007 Location: Oklahoma City Posts: 1,189 OS: Server 2K3 R2 SP 2, Server 2K SP4, XP PRO SP 3, Mac OS X 10.5, iPhone My System	Re: To Give Local Admin Priveleges or Not Vulnerabilities: If the user installs a program that he/she saw on the net e.g. a new screen saver, toolbar, game, etc.that has malicious or poorly written code this could potentially cause a work related program to quit working. I have seen this happen with something as simple as a weather app that crashed a users desktop. If a user has local admin rights and they think their PC is not running fast enough for them they could download one of those readily available Registry Cleaners. These in general are just bad news and for the most part are looked down upon from an IT prospective. Security: There is so much that could be listed under this category. If a user installs a program that manages to bypass or is missed by AV/spyware software it has access to ALL network resources the user has. This could result in loss of company data or stolen data. Depending on what kind of data is on the network and is accessible to your users could potentially be accessed bo someone that has ill intentions. Those are just a few possibilities. I am sure some of the other Admins around here can attest to the other risks involved. Last edited by XtabbedoutX; 10-22-2008 at 03:24 PM.

10-23-2008, 05:52 AM	#5 (permalink)
powlaz Registered User Join Date: Feb 2007 Posts: 33 OS: XP	Re: To Give Local Admin Priveleges or Not Thank you again for the information. I'm hoping that a few more people post too so I have a small collection of PROS and CONS to work with. In the meantime I'd like to complicate my question by asking if the majority of the CONS are based on a user installing a program? If this is the case then the GPOs we will soon develop could include preventing users from installing programs, right? What does making everyone a local Admin accomplish that making them local Users complicate? Thanks for the answers. I appreciate the help. MJ