Keys to the Kingdom

Is giving a local user admin rights any way to run a network?

In response to my column, "Local Control" (click here to read it), where I described how to use Restricted Groups to give users local admin rights, I got some thoughtful responses chiding me for describing this type of operation. Here's an example from Peter:

Bill: While your answer is accurate, it also does everyone on the mailer a disservice. The question starts out with a statement that I have heard all too often..."We set ALL USERS to have local admin access to their PC." As you well know, this is no way to run a network. It's like handing a loaded weapon to a toddler and sending him off to the local playground. It is only a matter of time before he hurts himself or someone else.

A Microsoft Certified System Engineer should never tell you that you have to give local admin rights for a PC to a general user. Applications can be enabled by setting registry and file permissions via Group Policy. Debugging rights can be granted to a developers group via policy. There are a number of ways of dealing with problem issues without just handing every user the keys to the kingdom.

Get Help from Bill

Got a Windows or Exchange question or need troubleshooting help? Or maybe you want a better explanation than provided in the manuals? Describe your dilemma in an e-mail to Bill at mailto:[email protected]; the best questions get answered in this column.

When you send your questions, please include your full first and last name, location, certifications (if any) with your message. (If you prefer to remain anonymous, specify this in your message but submit the requested information for verification purposes.)

Now, I think Peter makes an excellent point that I should have pointed out the problems with giving local admin rights to users. But I also know that quite a few system administrators routinely give users local admin rights and are none the worse for it.

So, I'd like to hear how you do business:

  • Do you give users local admin rights or not?
  • What was the critical item that caused you to make your decision?
  • Do you have any cause to regret your decision, one way or the other?

Write me at [email protected] with your answers to these questions; be sure to put "User Rights" on the subject line of your message. I'll bundle up the best answers in a future column.

About the Author

Contributing Editor Bill Boswell, MCSE, is the principal of Bill Boswell Consulting, Inc. He's the author of Inside Windows Server 2003 and Learning Exchange Server 2003 both from Addison Wesley. Bill is also Redmond magazine's "Windows Insider" columnist and a speaker at MCP Magazine's TechMentor Conferences.


  • Microsoft Drops 'Solorigate' for 'Nobelium' in Ongoing SolarWinds Attack Investigations

    Microsoft this week described "three new pieces" of malware that were used in the SolarWinds Orion espionage attacks dubbed "Solorigate," although Microsoft security researches are now calling it "Nobelium."

  • Microsoft Universal Print Service Commercially Released

    Microsoft announced on Tuesday that its Universal Print service is now commercially released at the "general availability" stage worldwide.

  • Restoring a Backup to Dissimilar Hardware: 3 Things To Watch Out For

    Getting a new desktop looking and feeling like the old one used to take a long time, but modern backup applications have greatly streamlined the process. Still, there are a few things to keep in mind to avoid potential issues.

  • Black Box

    Microsoft Releases Windows Server 2022 Preview

    Microsoft announced during its Ignite event that Window Server 2022 is currently availability at the preview stage.

comments powered by Disqus