Making users local admins

  • Thread starter Thread starter Eric Sabine
  • Start date Start date
E

Eric Sabine

I've seen talk in the NGs about not making a user a local admin on his or
her workstation. While I'd like to follow this policy to the letter, what
do you do about users who have laptops (and travel most of the time) or
software developers. I find that field-based laptop users might run into
issues with updating an antivirus engine, i.e., going from 9.0 to 9.1.
Likewise if they have printer issues and walk into a client's office and
need to add one of their printers. Additionally, what about windows
updates. I believe now Office System 2003 requires the user to be an admin
to perform common updates.

thanks,
Eric
 
Hello Eric.

What you tell us absolute true.

There is a nice thing we have called "Always install with elevated
privileges" in Group Policy for the Windows Installer section.

This policy appears both in the Computer Configuration and User
Configuration folders. To make this policy effective, you must enable the
policy in both folders.

User Configuration\Administrative Templates\Windows Components\Windows
Installer

Computer Configuration\Administrative Templates\Windows Components\Windows
Installer

Directs Windows Installer to use system permissions when it installs any
program on the system.

This policy extends elevated privileges to all programs. These privileges
are usually reserved for programs that have been assigned to the user
(offered on the desktop), assigned to the computer (installed
automatically), or made available in Add/Remove Programs in Control Panel.
This policy lets users install programs which require access to directories
that the user might not have permission to view or change, including
directories on highly restricted computers.
 
You can grant the power users the right to load and unload device drivers.
Also you can choose to make the users local administrators (and use a
different account) when they log on to the local box. Use restricted groups
in group policy to insure that they do not try to add their domain account
to the local adminsitrators group.

Buz Brodin
MCSE NT4 / Win2K
Microsoft Enterprise Domain Support

Get Secure! - www.microsoft.com/security

This posting is provided "as is" with no warranties and confers no rights.

Please do not send e-mail directly to this alias. This alias is for
newsgroup purposes only.



You can also have the users log on as the local
 
Back
Top