Local Admin on Windows 10 in a domain 1

[colinmitton]

I have a bit of an interesting issue, I have a mixture of modern / legacy applications running on Windows 10 64bit (1607). All these computers run on a Windows domain. To get some of these applications to work I've need to stop UAC and provide domain users with local security rights to a few folders so they can make adjustments. I'm now finding that when a user wishes to add in a usual plug to a web browser (like our banking software!) or install an application (like Dropbox) I have to go to there PC login as a domain admin install the app then log out so they can do this.

Before with Window 7 I could add them to the local administrators group (on the Computer) then use GPO's to nail them down and block access to certain applications / folders etc. But with Windows 10 if I add them to local admin group Edge does not work plus I can't access certain folders. But if I have the correct GPO (to allow UAC to work) enabled I can then elevate to an admin users and install from there login. but then my legacy Apps will not work (as I've been told by my suppliers).

I'm sure I'm not the only person facing this issue so is there a way to have windows 10 (1607) running on a domain with the users running as a 'Local Admin' but keeping UAC disabled so edge still works and I can still access everything (as they would be local admins)! I've been running in circles googling this for Days / Weeks any thoughts / experience on this would be grateful.

 

[hairlessupportmonkey]

We work with a largish enviromental architecial company and their user requirements are a PITA for installing software. we removed all admin and local admin rights through fear of end user stupidity.

I recenly came across PDQ deply for installing software. Its great and doesnt require a degree in microsoft to install and set up, and you can run the console from your desk. Hurrah!

ACSS - SME
General Geek

 

[colinmitton]

Thanks I'll take a look in to that for future use. Generally my users are well trained enough not to add applications unless the go through me first. Plus me taking there PC away for a few hours to rebuild soon puts them off!

It's just so annoying that on a few older apps I need them to be able to bypass the UAC then it would be a case of just remote accessing the PC putting in some admin credentials then away you go.

 

[hairlessupportmonkey]

All I can say is Ransomware.

ACSS - SME
General Geek

 

[colinmitton]

Very true, been hit once and now have effectively 4 layers of security from internet to PC from 3 different providers. Our legacy system will cost £100k+ to replace so as you may guess they are happy to survive as we are for now. I'm just trying to make my life slightly easier as I'm the only IT person here.

 

[kjv1611]

PDQ deploy looks awesome. Thanks for mentioning that.

"But thanks be to God, which giveth us the victory through our Lord Jesus Christ." 1 Corinthians 15:57

 

[hairlessupportmonkey]

It is awesome, and it pretty robust.

The videos are great too.

One fat guy drinking scotch talking smack, and a long bearded techie....

ACSS - SME
General Geek