Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations John Tel on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Domain Users member of Local Administrator group

Status
Not open for further replies.
windowsfan

windowsfan

IS-IT--Management
Jan 26, 2007
237
US
In our current network domain users are member of local administrator group. I want to get rid of this because of security reason. But, some of the application do not work if I take domain user out of local administrator group. what's the best practise?


We have many users and domain admin log on to terminal server and other servers and they end up shutting down the server instead off logging off? What can I do to prevent everyone from shutting down the server.
 
Sort by date Sort by votes
depends on the program, i have an ibm access cleint program the user only need full rights on one folder in programs files.

also you can stop the users shutting down your server in group polices.

At my old job, in AD i put the termainl server in a foler/container by itself.

Then right click, group polcy: some where in the polcy you can deny shutdown
 
Upvote 0 Downvote
To keep them from shutting down the system, go into group policies and look under Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment -> Shut down the system. Just make sure that they aren't a member of one of the groups listed there.

The bigger issue is that they have admin rights on a server. Best practice is not to allow this. As you noted, this can cause many applications not to run.

What you need to do is test each application to find out which ones currently require admin rights to run. After that you'll have to either do some testing or check with the software vendors to find out a) if they truly need admin rights to run (which they almost never do), and b) if not, what parts of the registry and filesystem they need access to that regular users don't have access to. Then give them rights to it, and you should be able to run as a user after that. If the vendor is uncooperative SysInternals (now owned by Microsoft) has some free tools that will monitor the registry and filesystem and let you know what parts of them are being modified. This can help you track it down on your own. This will be tedious, either way.
 
Upvote 0 Downvote
Thanks for your help. I will try that and let you know how it goes.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

goombawaho
  • Locked
  • Question
Domain join from wifi connected laptop
Replies
4
Views
966
goombawaho
goombawaho
tscstl
  • Locked
  • Question
access to local folder
Replies
1
Views
327
hairlessupportmonkey
hairlessupportmonkey
MattM1975
  • Locked
  • Question
Domain Admin Logon 1
Replies
2
Views
318
ADB100
ADB100
mangentle
  • Locked
  • Question
What are the key advantages of using Microsoft Windows Servers for businesses?
Replies
1
Views
988
gbaughma
gbaughma
DrB0b
  • Locked
  • Question
Windows 2016 IIS FTP server with a ton of user accounts
Replies
4
Views
709
DrB0b
DrB0b

Part and Inventory Search

Sponsor

Back
Top