Admin Rights for Everyone on the Domain

[Bigtm]

Yes, I know it sounds nuts but that is what the management want to do. Are they crazy you will ask? No, they just don't have a Scooby Doo. It does not matter what I say it seems they will only be happy when everyone can do whatever they want on their PC's.

Are there any articles that will highlight the do's and dont's of admin rights? I have found a few here and there but nothing definitive. I'm hopping this will get blood boiling and I may be able to produce documentation that will show them Admin rights for the people are as useful as a hole in the head.

Kind Regards,
BigTM.

 

[Xemus]

Do they want to give all users Domain Administrator priveleges or just Local Administrator rights for their machines?

http://blogs.msdn.com/aaron_margosis/archive/2004/06/17/157962.aspx

http://www.closedsocket.com

 

[kmcferrin]

What industry are you in? Giving everyone admin rights is definitely not "best practices", and consequently you could find your company falling short of meeting security requirements laid out in HIPAA, Sarbanes-Oxley, etc.

Your biggest issues will probably be spyware/malware related. The complications from that would run from system performance issues and downtime all the way up to security breaches, along with theft or destruction of confidential or customer data.

Where I used to work we originally deployed all of our PCs with nobody having admin rights. After awhile a vendor provided application came around that required local admin rights to function correctly. To accommodate them we gave a subset of our users full admin rights on their PCs. This affected roughly 100 of our 350 PCs deployed. Not long afterwards we found ourselves having to rebuild and redeploy 1-2 PCs a week due to users installing spyware/malware/software that shouldn't be installed, or wasting time troubleshooting "strange performance issues."

I went back to the vendor and insisted that we had to have a way to run the programs without full admin rights, and we came up with a solution that included modifying permissions on the install directories and application-specific registry keys. Once those changes were deployed we locked down the PCs again, and we had a dramatic reduction in the number of rebuilds/fixes that we had to do every week.

There is no doubt that allowing the users to have full admin rights resulted in a definite cost for the company in the form of increased IT workload which caused other IT assignments to fall behind schedule. Not to mention just the stress of having to constantly redeploy the same systems over and over again. Once we had security back where I wanted it there was a positive impact, both financially and in stress levels. And while my users were never happy that they couldn't install the latest dancing pigs screensaver, they had a lot less downtime to deal with when things were done "the right way."



But the bigger issue I think is with your management. If the person in question is an IT manager/director, then they very clearly have no idea what they're doing and shouldn't be in the job. If they're not an IT manager/director, then they very clearly have no business making decisions about routine IT security issues because they don't understand the implications. The equivalent would be me telling the finance people that we need to switch from cost-based accounting to accrual-based accounting (or vice versa). It's not my area of expertise or responsibility (or the manager's). I suspect that this is just the tip of the iceberg to come, too...

 

[Bigtm]

Many Thanks, I appreciate the time taken to respond to my query. I have compiled substantial documentary evidence and the real life examples outlined are extremely helpfull.

It seems that many Management types do not trust the people that hold it all together and when it all goes pear shaped the people opposed to the move in the first place will be blamed.

BigTM.

 

[hairstraightback]

Is there a straightforward way to give users local admin rights on their machines when they need to install software, or for those programs that require the users to run them one time as an admin?

 

[terry712]

if the software is an msi then you can publish vioa a gpo

or if you use zen or such like then you can distibute the software and the application will have the admin rights

if you have to give admin rights then i would use resticted group gpo and then it is easy to revoke

 

[markdmac]

As Terry has said, use a GPO with Restricted Groups to all Domain Users to the local Admin group. Don't jeopardize your job by giving actual domain admin rights to users.

I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at

http://www.thespidersparlor.com/vbscript

Work SMARTER not HARDER. The Spider's Parlor's Admin Script Pack is a collection of Administrative scripts designed to make IT Administration easier! Save time, get more work done, get the Admin Script Pack.