Keys to the Kingdom
Is giving a local user admin rights any way to run a network?
- By Bill Boswell
In response to my column, "Local Control" (click
to read it), where I described how to use Restricted
Groups to give users local admin rights, I got some thoughtful responses
chiding me for describing this type of operation. Here's an example from
Bill: While your answer is accurate, it also does everyone
on the mailer a disservice. The question starts out with a statement
that I have heard all too often..."We set ALL USERS to have local
admin access to their PC." As you well know, this is no way to
run a network. It's like handing a loaded weapon to a toddler and sending
him off to the local playground. It is only a matter of time before
he hurts himself or someone else.
A Microsoft Certified System Engineer should never tell you that you
have to give local admin rights for a PC to a general user. Applications
can be enabled by setting registry and file permissions via Group Policy.
Debugging rights can be granted to a developers group via policy. There
are a number of ways of dealing with problem issues without just handing
every user the keys to the kingdom.
Help from Bill
Got a Windows or Exchange question or need troubleshooting
help? Or maybe you want a better explanation than provided
in the manuals? Describe your dilemma in an e-mail
to Bill at mailto:[email protected];
the best questions get answered in this column.
When you send your questions, please include your
full first and last name, location, certifications (if
any) with your message. (If you prefer to remain anonymous,
specify this in your message but submit the requested
information for verification purposes.)
Now, I think Peter makes an excellent point that I should have pointed
out the problems with giving local admin rights to users. But I also know
that quite a few system administrators routinely give users local admin
rights and are none the worse for it.
So, I'd like to hear how you do business:
- Do you give users local admin rights or not?
- What was the critical item that caused you to make your decision?
- Do you have any cause to regret your decision, one way or the other?
Write me at [email protected]
with your answers to these questions; be sure to put "User Rights"
on the subject line of your message. I'll bundle up the best answers in
a future column.
About the Author
Contributing Editor Bill Boswell, MCSE, is the principal of Bill Boswell Consulting, Inc. He's the author of Inside Windows Server 2003 and Learning Exchange Server 2003 both from Addison Wesley. Bill is also Redmond magazine's "Windows Insider" columnist and a speaker at MCP Magazine's TechMentor Conferences.