Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations derfloh on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Admin Rights for Everyone on the Domain

Status
Not open for further replies.
Bigtm

Bigtm

IS-IT--Management
Joined
Nov 2, 2006
Messages
52
Location
GB
Yes, I know it sounds nuts but that is what the management want to do. Are they crazy you will ask? No, they just don't have a Scooby Doo. It does not matter what I say it seems they will only be happy when everyone can do whatever they want on their PC's.

Are there any articles that will highlight the do's and dont's of admin rights? I have found a few here and there but nothing definitive. I'm hopping this will get blood boiling and I may be able to produce documentation that will show them Admin rights for the people are as useful as a hole in the head.

Kind Regards,
BigTM.
 
Sort by date Sort by votes
What industry are you in? Giving everyone admin rights is definitely not "best practices", and consequently you could find your company falling short of meeting security requirements laid out in HIPAA, Sarbanes-Oxley, etc.

Your biggest issues will probably be spyware/malware related. The complications from that would run from system performance issues and downtime all the way up to security breaches, along with theft or destruction of confidential or customer data.

Where I used to work we originally deployed all of our PCs with nobody having admin rights. After awhile a vendor provided application came around that required local admin rights to function correctly. To accommodate them we gave a subset of our users full admin rights on their PCs. This affected roughly 100 of our 350 PCs deployed. Not long afterwards we found ourselves having to rebuild and redeploy 1-2 PCs a week due to users installing spyware/malware/software that shouldn't be installed, or wasting time troubleshooting "strange performance issues."

I went back to the vendor and insisted that we had to have a way to run the programs without full admin rights, and we came up with a solution that included modifying permissions on the install directories and application-specific registry keys. Once those changes were deployed we locked down the PCs again, and we had a dramatic reduction in the number of rebuilds/fixes that we had to do every week.

There is no doubt that allowing the users to have full admin rights resulted in a definite cost for the company in the form of increased IT workload which caused other IT assignments to fall behind schedule. Not to mention just the stress of having to constantly redeploy the same systems over and over again. Once we had security back where I wanted it there was a positive impact, both financially and in stress levels. And while my users were never happy that they couldn't install the latest dancing pigs screensaver, they had a lot less downtime to deal with when things were done "the right way."



But the bigger issue I think is with your management. If the person in question is an IT manager/director, then they very clearly have no idea what they're doing and shouldn't be in the job. If they're not an IT manager/director, then they very clearly have no business making decisions about routine IT security issues because they don't understand the implications. The equivalent would be me telling the finance people that we need to switch from cost-based accounting to accrual-based accounting (or vice versa). It's not my area of expertise or responsibility (or the manager's). I suspect that this is just the tip of the iceberg to come, too...
 
Upvote 0 Downvote
Many Thanks, I appreciate the time taken to respond to my query. I have compiled substantial documentary evidence and the real life examples outlined are extremely helpfull.

It seems that many Management types do not trust the people that hold it all together and when it all goes pear shaped the people opposed to the move in the first place will be blamed.

BigTM.
 
Upvote 0 Downvote
Is there a straightforward way to give users local admin rights on their machines when they need to install software, or for those programs that require the users to run them one time as an admin?
 
Upvote 0 Downvote
if the software is an msi then you can publish vioa a gpo

or if you use zen or such like then you can distibute the software and the application will have the admin rights

if you have to give admin rights then i would use resticted group gpo and then it is easy to revoke
 
Upvote 0 Downvote
As Terry has said, use a GPO with Restricted Groups to all Domain Users to the local Admin group. Don't jeopardize your job by giving actual domain admin rights to users.

I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at
Work SMARTER not HARDER. The Spider's Parlor's Admin Script Pack is a collection of Administrative scripts designed to make IT Administration easier! Save time, get more work done, get the Admin Script Pack.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

techbrain1
  • Locked
  • Question Question
Explorer Error the operating system is not compatible with this product
Replies
0
Views
280
techbrain1
techbrain1
MattM1975
  • Locked
  • Question Question
Domain Admin Logon
Replies
2
Views
560
ADB100
ADB100
Abdullah Al Maruf
  • Locked
  • Question Question
Telnet help for
Replies
2
Views
1K
gbaughma
gbaughma
goombawaho
  • Locked
  • Question Question
Domain join from wifi connected laptop
Replies
4
Views
1K
goombawaho
goombawaho
mangentle
  • Locked
  • Question Question
What are the key advantages of using Microsoft Windows Servers for businesses?
Replies
1
Views
1K
gbaughma
gbaughma

Part and Inventory Search

Sponsor

Back
Top