User access on Local machines.

[Smelly]

Didn't really know where to post this. So I posted in a couple:

Right now our 450 win2k pro users on our domain are all local
administrators. I realize this is not the brightest way to setup a secure
network environment. However, we are constantly having to uninstall and
reinstall software on users machines to fix problematic software. So I
think I came up with a solution.

Make all users standard users.
1. Put a shorcut to runas.exe in the send to menu on all workstations.
2. In the target I put c:\winnt\system32\runas.exe
/user:[domain]\administrator.
3. That I way all I have to do while logged on as a standard user, is right
click on the software install->send to->runas. It will then prompt for the
administrator password and away the install goes.

I was just wondering if there is any gotchas with doing this and also
checking to see if anybody else has a better solution.

All comments welcome

 

[Rob Elder, MVP]

Didn't really know where to post this. So I posted in a couple:

Right now our 450 win2k pro users on our domain are all local
administrators. I realize this is not the brightest way to setup a secure
network environment. However, we are constantly having to uninstall and
reinstall software on users machines to fix problematic software. So I
think I came up with a solution.

Make all users standard users.
1. Put a shorcut to runas.exe in the send to menu on all workstations.
2. In the target I put c:\winnt\system32\runas.exe
/user:[domain]\administrator.
3. That I way all I have to do while logged on as a standard user, is right
click on the software install->send to->runas. It will then prompt for the
administrator password and away the install goes.

I was just wondering if there is any gotchas with doing this and also
checking to see if anybody else has a better solution.

All comments welcome

It's always a good idea to use the secondary logon. But, unless you are
personally installing software on every PC, then each user will need the
domain admin account password. Not a good idea.

Have you tried rolling this software out with group policy. One of the
characteristics of an MSI file is it resiliency. This will fix any missing
or corrupted files.

 

[Smelly]

We would be doing the installs so they would not need the password. We are
just now starting to use GP to send out msi's. So it will be more efficient
in the future. For quick fixes it is easier for our helpdesk to just do it
fast.

Didn't really know where to post this. So I posted in a couple:

Right now our 450 win2k pro users on our domain are all local
administrators. I realize this is not the brightest way to setup a secure
network environment. However, we are constantly having to uninstall and
reinstall software on users machines to fix problematic software. So I
think I came up with a solution.

Make all users standard users.
1. Put a shorcut to runas.exe in the send to menu on all workstations.
2. In the target I put c:\winnt\system32\runas.exe
/user:[domain]\administrator.
3. That I way all I have to do while logged on as a standard user, is right
click on the software install->send to->runas. It will then prompt for the
administrator password and away the install goes.

I was just wondering if there is any gotchas with doing this and also
checking to see if anybody else has a better solution.

All comments welcome

It's always a good idea to use the secondary logon. But, unless you are
personally installing software on every PC, then each user will need the
domain admin account password. Not a good idea.

Have you tried rolling this software out with group policy. One of the
characteristics of an MSI file is it resiliency. This will fix any missing
or corrupted files.