Domain users member of local administrators group

[Guest]

I have a rather large network and seem to have a few issues with users
permissions, I have read a few articals mentioning that domain users (i
think) should be made a member of the local administrators group on client
machines. Is this normal practise?

Does this not weaken security?

Any advice would be appreciated.

Thanks

 

[Steven Umbach]

You want to avoid that if at all possible as that can significantly increase
support costs as users install unauthorized software, disable settings and
applications they do not like [firewall and antivirus for instance] , create
local user accounts to logon to in order to bypass Group Policy user settings,
etc. While a user that is a local administrator has not special powers in the
domain it can weaken security by increasing the possibility of worms, Trojans,
back doors, etc on your network If you have specific problem such as a legacy
application that will not work correctly then there may be a workaround with
modifying NTFS/registry permissions for the application. --- Steve

 

[Shenan Stanley]

I have a rather large network and seem to have a few issues with
users permissions, I have read a few articals mentioning that
domain users (i think) should be made a member of the local
administrators group on client machines. Is this normal practise?

Does this not weaken security?

Any advice would be appreciated.

If these articles were printed on paper - throw them away.
Forget you ever read them.
They are incorrect.