Local Admin Rights, Right or Wrong

Based on your feedback, the issue of local admin rights isn't cut and dried.

In "Keys to the Kingdom," I invited input on whether or not you permitted users in your network to have local admin rights on their desktops. To date I've received more than a hundred replies that run the gamut from "Not no way, not no how," to "Yeah, we do, and what's the big deal?"

Most everyone agreed that they didn't like giving local admin rights, but many found it necessary for one reason or another. I found nearly 100-percent agreement that some form of local admin permissions were required for laptop users, but the case for desktops was much less cut-and-dried.

Here are a few examples:

Get Help from Bill

Got a Windows or Exchange question or need troubleshooting help? Or maybe you want a better explanation than provided in the manuals? Describe your dilemma in an e-mail to Bill at mailto:boswell@101com.com; the best questions get answered in this column.

When you send your questions, please include your full first and last name, location, certifications (if any) with your message. (If you prefer to remain anonymous, specify this in your message but submit the requested information for verification purposes.)

John, a network engineer in a corporation: Like many businesses, we've faced decreasing budgets and reduced manpower. We don't have the time to spend tweaking security rights. For the most part our users are a responsible bunch who want to get their work done and go home. The few problems we've had were easily addressed with a basic Computer Use Policy that allowed us to manage the staff in a traditional non-technical fashion (if you abuse the company's equipment again you will be terminated.) We use Ghost on our network so if someone really messes up their machine we can clone it back again in a fraction of the time it would take to tweak local security for every app on the network.

On the other hand, Jorge, the IT director for a city, made this case for doing the necessary work to avoid granting local access rights: Never, ever do I give admin rights. I set registry and file permissions. I've had a software vendor insist that their application would not run unless I gave admin rights to the user. We tweaked and tested different registry and file permissions until the application ran correctly. We then presented them to the software vendor for testing to make sure all was well. They've since adopted the changes and include it in all documentation. Moral of the story—regardless of what vendors or other admins may say, granting local admin rights isn't necessary and should be avoided.

Many administrators cited a single mission critical application that prevented them from restricting local admin rights. They weren't happy about it, but they had to make the adjustment. Jeff: Our organization does indeed make the individual user assigned to a particular workstation a member of the local administrators group. This is done to accommodate the numerous changes that are made to the registry by AutoCAD and other engineering programs we use. I agree with your respondent's letter that you posted, but I feel that our organization has neither the time nor resources to invest in researching the group policy issue at this time.

Not surprisingly, university administrators were nearly (but not completely) unanimous that they had to give local admin rights. I liked the program that Charlie set up at a large university: We have a program where our employees can be designated a "Free Range User." It requires them to attend a short training and information session. Once they complete the session, we give them Local Administrator rights to their computer. They are warned that if they mess up their computer, our techs will spend minimal time trying to fix it. If the tech can't find the problem within 15 to 30 minutes, the computer is wiped and re-imaged with our baseline software configuration. They get a little card signifying their status and agree to augment the IT staff during times of virus outbreaks or helping their coworkers with simple tasks such as connecting to network printers.

Another university administrator named Charlie took this approach: When we rolled out Windows XP machines a year ago, we did not add the user's domain account to the local Adminstrators group. Instead we created a local account with Admin rights that they can use as an alternative. That works a little better because the user is not performing their normal functions with Admin rights. They are also less likely to install unneeded and messy apps because it's not so convenient.

Some respondents cited the eighth layer of the OSI model—the political layer—as the reason for granting local privileges. Steven: There are two employees here that were granted admin rights by their application of mightier force. They went to their boss (my boss's boss) and pleaded; the boss then twisted our arms until we granted the rights. We also gave them the responsibility that goes with those rights. When they screw up their machines, which has happened a couple of times, we happily install our Ghost copy of their drives. They lose data and we respond, "Oh well!"

I got many replies from small business consultants like Amy, who makes this case: I routinely give users admin rights. It's a situational necessity. My clients are all small businesses that only require my services a few hours every month. The users are very independent and computer savvy. They are competent enough to be allowed to install applications without coming to me first. I've done proactive training to put some fear into them about installing or deleting the wrong thing. With cooperative users, ongoing training, anti-virus and anti-pest software all runs quite smoothly. My users know that if they have any questions that I'm only a phone call away and I encourage them to call.

And Dave made the case for overworked administrators in smaller companies: In essence, we have a "trust" relationship with our employees. We treat them like mature adults and expect them to act that way. This has worked for us thus far, though we are a small company (less than 100 clients). Perhaps in a larger shop, different measures are prudent.

I must admit that like the idea of treating adults like adults and I got many replies along that same vein, but Bill, a network admin for a farm supply company in Pennsylvania, argues in favor of distrust: It's my job to keep nasty stuff from infecting my network. If I give someone local admin rights they can uninstall/disable the installed antivirus software and would also be able to install programs like an instant messenger or peer-to-peer file-sharing application or anything they choose. The loaded gun/child analogy is perfect. If they need another application installed that's outside of our standard load, then they can take it to their manager and explain the legitimate business need. It's at that point, then, that software gets installed.

Frankly, I found Bill's argument compelling. Users might be highly trusted, but they aren't regularly exposed to trade information that warns them of the dangers of spyware or certain peer-to-peer programs and they aren't as likely to know when particularly dangerous worms are circulating.

Still, the bottom line is that there is no bottom line. The decision to grant local admin rights, like any other system administration decision, is based on the need to further the goals of the organization while finding a few spare hours to get home and see the family.

Thanks to everyone who took the time to write. Be sure to let me know if you have especially good war stories on this or any other topic.

comments powered by Disqus

Reader Comments:

Sun, Mar 25, 2012 Phredog Scottsdale, AZ

I am a developer and an Linux admin. I develop on both Linux and Windows. I am currently fighting with my employer over this. My policy is simple; I get 100% unrestricted admin rights on ANY and ALL comptuers assinged to me. If they argue, I do one of two things: 1. Crack the admin password. - Being that none of the managers agree with the policy, no HR action will be taken against me if I decide to crack the passwords. 2. I can work someplace else. There are at least 50 employers within a half mile. The economy is gettnig better. Headhunters are calling. I will demand that full admin rights or an option to purchase my own PC for corporate use be part of my employment contract. My Windows apps check for admin rights. If the app is not running as the administrator, I throw an error message on the screen. When my phone rings. I just tell them to call the Windows admin about it.

Fri, Dec 30, 2005 John McGuinness Melbourne Australia

I am an electrical design contractor and from a user perspective, I am totally sick and tired of trying to get permissions from IT departments to get permission to install software which will save me hours on the job, only to find that the software is unsupported and therefore not to be installed on the system. It would seem to me that the IT policies of many companies are set to cater to the lowest common denominator, the 'nuffer'who knows 'nuffin' about computers, the internet and the possible problems that installing software from the internet can cause. My unfortunate experiences have been duplicated by my girlfriend who works as a purchasing officer for an IT business which was recently brought out by a large telco out here in australia. The IT dept of the Telco took their laptops away for a day (costing many $'s in lost production because no one could work for a whole day), and when they were returned, they could no longer VPN into the network, so they could no longer work from home, they could not install business related software because it was 'unsupported' and they could not install the software associated with their palm pilots and other PDA's.

Whilst I do understand the issues related to adopting an 'open slather' policy where anyone can install anything at any time, surely common sense business related applications should be able to be installed without filling in a whole fist full of forms and putting fwd a business case for each and every application used by every user.

What I am saying is that common sense should prevail. Training of users in what the form they signed at the beginning of their employment (IT policy) actually means and the used of packet sniffers would generally quickly indicate which users need to be re-educated (with vigorous application of the IT managers boot to their ass if required).


Sun, Apr 4, 2004 tha Anonymous

i would like to get local admin powered if it ok

Thu, Feb 5, 2004 Anonymous Anonymous

Just the issue I'm debating at the moment

Tue, Nov 18, 2003 Paul Ohio

When it comes to getting legacy applications to run properly on Windows 2000 there is an MMC snap-in called "Security Configuration and Analysis". Use this to apply the compatws.inf security template. This will loosen registry & directory permissions enough so that applications will run without giving users "Power User" or "Administrator" rights.

Mon, Nov 17, 2003 Jason Cleveland

We have yanked it across the board. Even our techs and domain administrators do not have local admin rights on their computers. We engineered additional local accounts that "elevate" standard users to allow them more access to some restricted areas of the computer to address many of the non-compliant softwares in the wild. We also used one of those accounts to deny permission to certain functions, so that even if a user becomes a local admin, they will still get "permission denied" for some file and registry functions. Couple this with group policy, and you can easily and efficiently granulate rights to an XP computer without comprimising security. Additionaly, XP has the run-as function that works around any other restrictions our IT department's need. BTW, we have 2500+ systems with 70+ locations.

Thu, Nov 13, 2003 Anonymous Anonymous

The real problem is the implementation of the Microsoft registry security model. Developers shouldn't create general use programs that require administrative access to run. Microsoft themselves are guilty of this; we have problems at our work with Microsoft Office when users don't have administrative access!

Thu, Nov 13, 2003 Mark Massey Florida

This was a super article.

What is most important is that it pointed that each situation requires its own anlysis and no single solution will fit all situations!

Generally I fall into agreement with the fellow from Penn. No business case showing need then no way!

Great Article extrmely REAL WORLD!

Mark Massey MCP 316

Wed, Nov 12, 2003 Rhonda Florida

Having first been a systems administrator and then a developer, I now understand the need for the development community to have local admin rights to their PCs. As a Systems Administrator, I took the time to understand who my client community was, what tools they used, and how they used them. Now that I work as a project manager for an applications development team, I don't have the time or funds to waste while making my case for each developer who needs rights, while my IT department tells me that the corporate policy dictates that we (the corporation as a whole) cannot have local admin rights to our PCs to do our jobs. When this general statement is made, I know that the committee who put this policy in place did not do their due diligence to the people they are servicing. It would be nice if IT departments would have the foresight to customize rules based on groups, if you are in an environment to do. But a blanket statement like that may be to the detriment of the primary business of the company, i.e. manufacturing, retail, etc.

Wed, Nov 12, 2003 David Chicago

I found all of the responses to this article very interesting. There was a mix, but there are a lot of admins that are still willing to grant local admin rights. While I am aware that we all have time constraints, I like to think of it like this - If you think you do not have the time to setup systems right the first time, what makes you think that you'll have time to clean up the mess later? Aside from the nuisances of installing applications and printer drivers it is really important to remember that there are a lot of NOT NICE people out there. Stolen laptops. Instant access to your corporate networks and data. Spyware. Virus propogation. There are too many reasons to take security seriously, we just keep ignoring them! I saw someone mention that they actually informed an ISV how to install thier software without granting excessive rights. Bravo! They now have a user that can get thier job done - and have reduced the likeleyhood of this user inadvertently doing damage... to themselves or someone else...

Wed, Nov 12, 2003 Daniel A secured Govt. site

We give No one admin rights to thier systems. To get around the software problem of needing admin rights to run, we give the user temporary admin rights to to luanch the program and to write to the registry. Then we removed them from the admin group. This seems to work for for those programs like Calendar Creator.

Wed, Nov 12, 2003 Tony UK

I think most of the respondents to this topic have missed the point. They all assume that any damage done by users with admin privilege will be unintentional. Not one of them has mentioned the malicious use of excessive system privilege, which is still claimed to be the biggest source of "hacking"...

Wed, Nov 12, 2003 Faisal Masood Lahore, Pakistan

Im working for a software development company. My users are computer graduates (BCS/ MCS).

Well.. I don't support the idea of giving local admin rights.

Disadvantages of local Admin Rights:
1) User can install / uninstall any thing on their system
2) User can change system settings & can lower the security level
3) Malicious packages / applications are executed more easily. & that virus/malicious code can propagate to others on the network .
4) You get a large number of support calls from those desks.
5) The time spent in rebuilding the system is a waste. With proper control that time could be utilized for some constructive work.
6) You wouldn't have full control on your network.

Advantages:
1) User can install applications if they require any.
2) Some applications which don't run with normal user cab run easily with local admin rights. (Although some suggests that you can set registry & file permission to run that application with normal user. But finding those settings is a hell of work.)
3) Adminstrator can free himself from installation work & can do some thing constructive for the company.

Suggestion:
1) Make sure to have your corporate policies straight. Have a meeting with your boss (or big boss) include development manager as well. The lay out what you company wants. then act accordingly.
2) With admin rights any application can run. It is the duty of software developing companies that they make sure that their applciation run with normal users as well. Or at least they should document the procedure where network administrators can run the application with normal user if they want.

My Example:
Here in my company, we don't give local admin rights except to few. But my experience is that user always do mess-ups. As most of them are well educated with BCS /MCS, they try to exploit loop holes in the design. Since securing network is not my primary task here. Thats why I can't spend much time in finding the registry / file settings to run softwares with normal user. In the end what happens, a call & system rebuild. Well ghost works well if you have similar hardware. But here we have different hardware after every 2-3 PCs.

Major hurdle for me is the DLL registration. Developers here need to reregister DLLs (of our web application) on their local system off & on. Some times every 10 minutes during testing / debugging of COM+ components. Normal user can't run regsvr32.exe to register DLLs. Thats why I've to give few of those developers local admin rights.

Well if any one have a solution to my problem, then let me know. :)

Our perimeter is prettty secure, but interior is too soft due to those admin privillaged users. I face the consequences of this some times.

Tue, Nov 11, 2003 Pat Washington

I was very reluctant to restrict local admin rights until I did a check of software installations and found that there were more than a few instances of software being installed when the license issues were less than clear.

Tue, Nov 11, 2003 elborba Anonymous

I support several small businesses, often in just a small workgroup setting, and I outline in detail in my support contract the rights and responsibilities of users holding Admin rights. I educate the business owner and/or manager regarding this approach, as well as creating individual seperate user accounts with admin rights for one or two of the most technically literate people at the company. This also allows them to log onto a machine as an Admin, and act as my hands for doing phone support. I do not however, want them doing their day-to-day work as an Admin. This has worked well, with only a few instances of problems caused by this approach, and a couple of friendly, non-judgemental hours of follow up training when things do go wrong (billed at my support rate) helps keep everyone on the straight and narrow. I 've also found that giving these individuals this additional power and responsibility has resulted in many of them being more inclined to call me prior to doing something tricky.

Tue, Nov 11, 2003 Jim Seattle

The purist in me whole-heartedly supports the practice of restricting local admin rights. The realist knows that it is infeasible to insist on such a policy without devoting hundreds or possibly thousands of man-hours to tweaking and fine-tuning so as to achieve that objective with every application we run. But what concerns me more than this debate over granting internal users local admin privileges to their computers is the clearly rampant practice of rebuilding computers from a "baseline" image. So long as that baseline image is kept up to date, I don't see a problem with that, but the tendancy is for the "baseline" to slowly fall behind in updates. After many months, you restore your baseline on a few computers and you have Blaster and SoBig raging through your network all over again. An alternative to constantly patching and updating baseline images is to find a secure configuration for computers that prevents susceptibility to most viruses. THAT is, in my opinion, where the biggest bang for the buck may be found.

Tue, Nov 11, 2003 Jack Testa Philadelphia

This is a question I’ve had to deal with over and over with my customers. There is always one app or one user or one political hurdle etc.
To the apps to date, every app I’ve ever been presented with that “just will not work” without local admin rights I’ve been able to make work with little more than file auditing and registry activity monitor (reg sniffer).
As to that one user, who normally represents himself as a “computer expert”; we can not forget that these are business computers, bought by a business, supported by a business for business use. It decides what apps go on, tests them and deploys them. If the “one special user” wants to install a new MP3 player or some stock tracking software, tell them to buy their own computer. At the end of the day, a locked down workstation is a more stable workstation and costs the company less to run.

Tue, Nov 11, 2003 Anonymous Anonymous

If anyone knows of reg hack to allow auto updates for McAfee on clients with user permission let me know. Seems we can't "auto" update the McAfee software unless user logged in with admin perms.

Tue, Nov 11, 2003 JC Seattle

The foundational problem with the admin rights requirement is that software vendors are still writing to the Win9x security model. I'm convinced that any app that REQUIRES admin rights to run is basically a legacy app. Like some of your repospondants, I've tweaked registry settings until I could get an app to work; I've required managerial approval and business case for application installation and admin rights; etc., etc. Bottom line - the 8th Layer ALWAYS wins in our environment. Management is ALWAYS amazed at the damage and cost this position incurs.

Tue, Nov 11, 2003 Dean Richmonnd, VA

I believe more people would implement user level permissions if more applications worked properly when implemented. The concept is excellent and goes far beyond loading software. It includes being able to manage and affect the particular users desktop only, and not change the settings for other users. I understand when users ask to treat people like people, but on the other hand can you imagine going to a hospital for an emergency and they can not find your medical records because their computer is down, i.e. someone did something they should not have done. This lack of information then results in a negative health affect? In our litigious society who would be responsible? The patient for not bring their own files? The clerk at the front desk? The computer manufacturer? - or would it be the hospital? Therefore what do you think the response would be to protect the hospital? Treat people with respect, or insure place restrictions in place to make every attempt to minimize service disruptions?

However, not everyone works in these environments. The cost and expertise to resolve many of these issues is high. We too are an engineering shop and had to work through the various settings for AutoCAD? Unless you have the time and expertises to sift through the event logs for days, and have the manufacturer tell you that you are unsupported, the only remaining choice is Admin authority; or is it?

Another alternative.
So what can we as a user community do to make our life better? I recommend using products with the operating system logo whenever possible. AutoDesk has recently obtained this certification for AutoCAD 2004. Way to go. Products that are logo install easily. Support implementation with Policies, remote assistance, profiles, document redirection, and users working with user rights. If you product does not have a logo then complain! Find products with the logo. Otherwise you will need to spend the time, or provide admin level authority.

Tue, Nov 11, 2003 Anonymous Anonymous

The foundational problem with the admin rights requirement is that software vendors are still writing to the Win9x security model. I'm convinced that any app that REQUIRES admin rights to run is basically a legacy app. Like some of your repospondants, I've tweaked registry settings until I could get an app to work; I've required managerial approval and business case for application installation and admin rights; etc., etc. Bottom line - the 8th Layer ALWAYS

Tue, Nov 11, 2003 Eric NY

The answer, as always, is "it depends." If you're in a highly managed environment like an office, or a call center, or an airport check-in counter, you need to keep the admin power away from the users. Workers who do the same job all day (like answering the phone over and over again) are the most likely to cause problems due to sheer boredom. If you're doing the IT work for an engineering firm, then admin rights should be granted because you can trust your users to solve many of their own problems. Generally, if you provide help desk service and the ability to solve problems quickly, the users have no need for admin righta.

Add Your Comment Now:

Your Name:(optional)
Your Email:(optional)
Your Location:(optional)
Comment:
Please type the letters/numbers you see above

Redmond Tech Watch

Sign up for our newsletter.

I agree to this site's Privacy Policy.