General discussion

Locked

ok for users to be local admins?

By lhAdmin ·
Hi,
We'd like for users to be able to install certain software on their own as well as run certain scripts (which we write for them) that may "fix" certain things (Windows loses the file association for jpg, etc). However, if they're not a localadmin on their Win2k workstation, it becomes a problem. Is it a big security issue to make all users local admins? How do most people handle this?

Thanks.

This conversation is currently closed to new comments.

17 total posts (Page 1 of 2)   01 | 02   Next
Thread display: Collapse - | Expand +

All Comments

Collapse -

ok for users to be local admins?

by Ann777 In reply to ok for users to be local ...

Most people handle their own installs just fine. We setup users to be a local admin and most people will not do anything to destroy themselves.

However, you do get a few experimenters in every group. The most common thing that happens is that people will take themselves off the domain (in order to connect to a home office worgroup and backup files or offload them to another machine), and then not be able to get back on.

But, the handling of users' and the ability of them to install specific software that they need (or hardware for that matter) has not been a great problem for us. And the few who want to do other stuff, will usually check before doing anything (to make sure that it is okay).

Collapse -

ok for users to be local admins?

by Ann777 In reply to ok for users to be local ...

As long as your Administrator account in the domain is secure (ie. you and your other admins/techs are the only ones with the password), then the user as a local admin only has rights over the local computer... not the domain.

Collapse -

ok for users to be local admins?

by lhAdmin In reply to ok for users to be local ...

Poster rated this answer

Collapse -

ok for users to be local admins?

by Allard In reply to ok for users to be local ...

Before you give your users local admin rights, you must know your end-users. Are there messing up the systems and you have no clear policy for re-installing a system and it takes too much workload, don't give them the rights.

There are solutions,such as:

- SMS
- GPO
- SU-account (This account make you temporary
local admin with a user acccount and after
installation of e.g. application you are back
normal user)
- Maybe Power-user is enough

Collapse -

ok for users to be local admins?

by Allard In reply to ok for users to be local ...

Maybe it is not clear, but my focus with the solutions is about the distributing and installing software without being a local administrator.

Collapse -

ok for users to be local admins?

by Allard In reply to ok for users to be local ...

Maybe it is not clear, but my focus with the solutions is about the distributing and installing software without being a local administrator.

Collapse -

ok for users to be local admins?

by lhAdmin In reply to ok for users to be local ...

Poster rated this answer

Collapse -

ok for users to be local admins?

by lhAdmin In reply to ok for users to be local ...

Thanks for the quick answers. My users are very careful and usually do not mess with things without asking first. I think this will make our lives alot easier. Since I am still a newbie to Active Directory & Win2k, my concern was local admins might have some capabilities on the general network that I wasn't aware of.

Collapse -

ok for users to be local admins?

by highlander718 In reply to ok for users to be local ...

all of the above, plus no, they cannot mess things up on the network with local admin rights. Whatever user ID is admin on local, the network settings, rights and policies for that user are set on the server and there you can restrict whatever. Theycan only mess up that particular workstation.

Collapse -

ok for users to be local admins?

by lhAdmin In reply to ok for users to be local ...

Poster rated this answer

Back to Windows Forum
17 total posts (Page 1 of 2)   01 | 02   Next

Related Discussions

Related Forums