Keys to the Kingdom

Is giving a local user admin rights any way to run a network?

In response to my column, "Local Control" (click here to read it), where I described how to use Restricted Groups to give users local admin rights, I got some thoughtful responses chiding me for describing this type of operation. Here's an example from Peter:

Bill: While your answer is accurate, it also does everyone on the mailer a disservice. The question starts out with a statement that I have heard all too often..."We set ALL USERS to have local admin access to their PC." As you well know, this is no way to run a network. It's like handing a loaded weapon to a toddler and sending him off to the local playground. It is only a matter of time before he hurts himself or someone else.

A Microsoft Certified System Engineer should never tell you that you have to give local admin rights for a PC to a general user. Applications can be enabled by setting registry and file permissions via Group Policy. Debugging rights can be granted to a developers group via policy. There are a number of ways of dealing with problem issues without just handing every user the keys to the kingdom.

Get Help from Bill

Got a Windows or Exchange question or need troubleshooting help? Or maybe you want a better explanation than provided in the manuals? Describe your dilemma in an e-mail to Bill at mailto:boswell@101com.com; the best questions get answered in this column.

When you send your questions, please include your full first and last name, location, certifications (if any) with your message. (If you prefer to remain anonymous, specify this in your message but submit the requested information for verification purposes.)

Now, I think Peter makes an excellent point that I should have pointed out the problems with giving local admin rights to users. But I also know that quite a few system administrators routinely give users local admin rights and are none the worse for it.

So, I'd like to hear how you do business:

  • Do you give users local admin rights or not?
  • What was the critical item that caused you to make your decision?
  • Do you have any cause to regret your decision, one way or the other?

Write me at boswell@mcpmag.com with your answers to these questions; be sure to put "User Rights" on the subject line of your message. I'll bundle up the best answers in a future column.

About the Author

Contributing Editor Bill Boswell, MCSE, is the principal of Bill Boswell Consulting, Inc. He's the author of Inside Windows Server 2003 and Learning Exchange Server 2003 both from Addison Wesley. Bill is also Redmond magazine's "Windows Insider" columnist and a speaker at MCP Magazine's TechMentor Conferences.

comments powered by Disqus

Reader Comments:

Fri, Dec 5, 2003 Anonymous Anonymous

Joe/Network Admin: All of my users have “Power User” rights and some have Local Admin rights. The BIG problem we face is Software Licensing. Some users disable domain admin rights so we can’t scan for software and check licensing. The next thing they due is download and install software until they’re PC quits. The exiting part is when the user decides to fix their PC beyond any capable repair and then call IT to overhaul the system. Sure we just blow down another image. But then the HR issues kick in about where is my kid’s pics and why didn’t you load this game. We’ve found that it’ much easer to deny all rights but the ones you need to work. If a user needs more rights or software they are required to justify how it applies to their job objectives. This has saved us thousands of hours.

Wed, Nov 12, 2003 Bart Anonymous

HKLM\Software is where I update rights to registry keys. To each is his/her own; whatever each admin wants to do with his/her network. If it doesn't work as a user and it does work as an admin then you know it's a rights issue. Everything on an NTFS volume is bound by NTFS rights and you'll find that the programs are for the most part putting their stuff in the same root locations.

I don't want to eliminate my job but I DO want the TCO to go down. For me, a little extra time up front goes a long way. Isnt this world's philosophy on computing and business to do is faster and cheaper? I feel confident that if I lead the faster and cheaper for a company then I will be rewarded accordingly.

I agree - "There are ALWAYS ways to do what is necessary without giving someone free reign on the machine."

Wed, Nov 12, 2003 Anonymous Anonymous

I agree with the readers who have stated that admin rights on the local machine should be avoided as much as possible. I manage the network for a small school (450 users) and all the students had admin rights on their laptops, until I was hired (apparently a dark day at the school). Using Microsoft's unsung utility epal.exe with Active Directory, we were able to give students only User-level access to the machines and still be able to run some programs, such as Adobe Photoshop, with admin-level access.
There are ALWAYS ways to do what is necessary without giving someone free reign on the machine. Why does giving someone a key to the house give them the keys to the kingdom? One small example - Give someone local admin rights on the machine, and they'll install a music-sharing program, almost guaranteed. Where will they store the music? On your network storage (meaning you have to put in software to manage quotas and limit the ability to store files of a certain type - .avi, .mov, .wav, etc....). Whose bandwidth do they use to download files and stream media, causing user complaints about 'network slowness'? Whose network is at risk because they download a seemingly harmless file with their P-to-P software that actually contains a virus that can infect your entire organization? Who is legally responsible for making sure illegal music is NOT stored on your network?
Whose kingdom is at risk?
Look at the big picture - granting admin rights without a REALLY good reason are a lazy man's way to run a network.

Wed, Nov 12, 2003 Eren Turkey

difficult questions.
it depends on network-user to give users local admin rights

Wed, Nov 12, 2003 Faisal Masood Lahore, Pakistan

Im working for a software development company. My users are computer graduates (BCS/ MCS).

Well.. I don't support the idea of giving local admin rights.

Disadvantages of local Admin Rights:
1) User can install / uninstall any thing on their system
2) User can change system settings & can lower the security level
3) Malicious packages / applications are executed more easily. & that virus/malicious code can propagate to others on the network .
4) You get a large number of support calls from those desks.
5) The time spent in rebuilding the system is a waste. With proper control that time could be utilized for some constructive work.
6) You wouldn't have full control on your network.

Advantages:
1) User can install applications if they require any.
2) Some applications which don't run with normal user cab run easily with local admin rights. (Although some suggests that you can set registry & file permission to run that application with normal user. But finding those settings is a hell of work.)
3) Adminstrator can free himself from installation work & can do some thing constructive for the company.

Suggestion:
1) Make sure to have your corporate policies straight. Have a meeting with your boss (or big boss) include development manager as well. The lay out what you company wants. then act accordingly.
2) With admin rights any application can run. It is the duty of software developing companies that they make sure that their applciation run with normal users as well. Or at least they should document the procedure where network administrators can run the application with normal user if they want.

My Example:
Here in my company, we don't give local admin rights except to few. But my experience is that user always do mess-ups. As most of them are well educated with BCS /MCS, they try to exploit loop holes in the design. Since securing network is not my primary task here. Thats why I can't spend much time in finding the registry / file settings to run softwares with normal user. In the end what happens, a call & system rebuild. Well ghost works well if you have similar hardware. But here we have different hardware after every 2-3 PCs.

Major hurdle for me is the DLL registration. Developers here need to reregister DLLs (of our web application) on their local system off & on. Some times every 10 minutes during testing / debugging of COM+ components. Normal user can't run regsvr32.exe to register DLLs. Thats why I've to give few of those developers local admin rights.

Well if any one have a solution to my problem, then let me know. :)

Our perimeter is prettty secure, but interior is too soft due to those admin privillaged users. I face the consequences of this some times.

Tue, Nov 11, 2003 Alan PA

There has always been controversy as to whether to grant local admin access. I've been in the IT field for about 12 years and have always given local admin rights. My philosophy is this.... Give the users admin rights first and then if they become a problem child (Too many help desk calls because of things THEY have done), then you lock down the system. Give them enough rope to hang themselves. Besides if we didn't have users messing up their systems there wouldn't be as many IT positions now would there? That's my 2 cents.

Tue, Nov 11, 2003 Charlie Blank Irving, Tx

I don't understand how someone having local administrator privileges can damage anything other than the workstation he is using. Please explain how the key to your house is the key to the kingdom.

Tue, Nov 11, 2003 Bart Anonymous

It has been my experience that the less a user can do (install) to a computer then the better off the computer is. 20% of our users are non-Local Admins and they make up for 2% of the calls to the help desk. In most cases the corporate computer being used is the best computer a user has in their computing world. Plus, unlike at their home, they have an IT department to fix it when they break it. Another thing that comes to mind is when a user has the rights to change the location that they store things. When and if the computer gets replaced something gets lost. They don't know any better, we do.

2500 users

Tue, Nov 11, 2003 Russell Texas

At our locations there are many applications that would force you to tweak security to allow them to function properly and by the time you do this to several machines and different applications, the security you think you are providing is not really there. Also if you are trying to support a standard image and expect common problems to be resolved the same for everyone, tweaking security does not seem to be a solution that would provide a standard workstation to support. We give users at our company local admin rights but we disable desktop tools (i.e registry editor) that allow them to do certain admin functions. The user is still allowed to install non-supported I.T. software without I.T. support with the knowledge if this messes up their PC I.T. will spend little time fixing the problem but re-image the PC.

Wed, Oct 29, 2003 dude CA

I work at a small college, and we give local admin privs to faculty, because they often need to install hardware and software, etc. We have had virtually no adverse affects from this in the last 3 years, mostly because we tell them that they are responsible for their systems (backups, security, stability). I do end up supporting them and help them with all of that, but much less so than if they had restricted access. They know they need to be careful.

Add Your Comment Now:

Your Name:(optional)
Your Email:(optional)
Your Location:(optional)
Comment:
Please type the letters/numbers you see above

Redmond Tech Watch

Sign up for our newsletter.

I agree to this site's Privacy Policy.