Local Admin Rights, Right or Wrong
Based on your feedback, the issue of local admin rights isn't cut and dried.
- By Bill Boswell
to the Kingdom
," I invited input on whether or not you
permitted users in your network to have local admin rights on their desktops.
To date I've received more than a hundred replies that run the gamut from
"Not no way, not no how," to "Yeah, we do, and what's the
Most everyone agreed that they didn't like giving local admin rights,
but many found it necessary for one reason or another. I found nearly
100-percent agreement that some form of local admin permissions were required
for laptop users, but the case for desktops was much less cut-and-dried.
Here are a few examples:
Help from Bill
Got a Windows or Exchange question or need troubleshooting
help? Or maybe you want a better explanation than provided
in the manuals? Describe your dilemma in an e-mail
to Bill at mailto:firstname.lastname@example.org;
the best questions get answered in this column.
When you send your questions, please include your
full first and last name, location, certifications (if
any) with your message. (If you prefer to remain anonymous,
specify this in your message but submit the requested
information for verification purposes.)
John, a network engineer in a corporation: Like many businesses, we've
faced decreasing budgets and reduced manpower. We don't have the time
to spend tweaking security rights. For the most part our users are a responsible
bunch who want to get their work done and go home. The few problems we've
had were easily addressed with a basic Computer Use Policy that allowed
us to manage the staff in a traditional non-technical fashion (if you
abuse the company's equipment again you will be terminated.) We use Ghost
on our network so if someone really messes up their machine we can clone
it back again in a fraction of the time it would take to tweak local security
for every app on the network.
On the other hand, Jorge, the IT director for a city, made this case
for doing the necessary work to avoid granting local access rights: Never,
ever do I give admin rights. I set registry and file permissions. I've
had a software vendor insist that their application would not run unless
I gave admin rights to the user. We tweaked and tested different registry
and file permissions until the application ran correctly. We then presented
them to the software vendor for testing to make sure all was well. They've
since adopted the changes and include it in all documentation. Moral of
the storyregardless of what vendors or other admins may say, granting
local admin rights isn't necessary and should be avoided.
Many administrators cited a single mission critical application that
prevented them from restricting local admin rights. They weren't happy
about it, but they had to make the adjustment. Jeff: Our organization
does indeed make the individual user assigned to a particular workstation
a member of the local administrators group. This is done to accommodate
the numerous changes that are made to the registry by AutoCAD and other
engineering programs we use. I agree with your respondent's letter that
you posted, but I feel that our organization has neither the time nor
resources to invest in researching the group policy issue at this time.
Not surprisingly, university administrators were nearly (but not completely)
unanimous that they had to give local admin rights. I liked the program
that Charlie set up at a large university: We have a program where our
employees can be designated a "Free Range User." It requires
them to attend a short training and information session. Once they complete
the session, we give them Local Administrator rights to their computer.
They are warned that if they mess up their computer, our techs will spend
minimal time trying to fix it. If the tech can't find the problem within
15 to 30 minutes, the computer is wiped and re-imaged with our baseline
software configuration. They get a little card signifying their status
and agree to augment the IT staff during times of virus outbreaks or helping
their coworkers with simple tasks such as connecting to network printers.
Another university administrator named Charlie took this approach: When
we rolled out Windows XP machines a year ago, we did not add the user's
domain account to the local Adminstrators group. Instead we created a
local account with Admin rights that they can use as an alternative. That
works a little better because the user is not performing their normal
functions with Admin rights. They are also less likely to install unneeded
and messy apps because it's not so convenient.
Some respondents cited the eighth layer of the OSI modelthe
political layeras the reason for granting local privileges. Steven:
There are two employees here that were granted admin rights by their application
of mightier force. They went to their boss (my boss's boss) and pleaded;
the boss then twisted our arms until we granted the rights. We also gave
them the responsibility that goes with those rights. When they screw up
their machines, which has happened a couple of times, we happily install
our Ghost copy of their drives. They lose data and we respond, "Oh
I got many replies from small business consultants like Amy, who makes
this case: I routinely give users admin rights. It's a situational necessity.
My clients are all small businesses that only require my services a few
hours every month. The users are very independent and computer savvy.
They are competent enough to be allowed to install applications without
coming to me first. I've done proactive training to put some fear into
them about installing or deleting the wrong thing. With cooperative users,
ongoing training, anti-virus and anti-pest software all runs quite smoothly.
My users know that if they have any questions that I'm only a phone call
away and I encourage them to call.
And Dave made the case for overworked administrators in smaller companies:
In essence, we have a "trust" relationship with our employees.
We treat them like mature adults and expect them to act that way. This
has worked for us thus far, though we are a small company (less than 100
clients). Perhaps in a larger shop, different measures are prudent.
I must admit that like the idea of treating adults like adults and I
got many replies along that same vein, but Bill, a network admin for a
farm supply company in Pennsylvania, argues in favor of distrust: It's
my job to keep nasty stuff from infecting my network. If I give someone
local admin rights they can uninstall/disable the installed antivirus
software and would also be able to install programs like an instant messenger
or peer-to-peer file-sharing application or anything they choose. The
loaded gun/child analogy is perfect. If they need another application
installed that's outside of our standard load, then they can take it to
their manager and explain the legitimate business need. It's at that point,
then, that software gets installed.
Frankly, I found Bill's argument compelling. Users might be highly trusted,
but they aren't regularly exposed to trade information that warns them
of the dangers of spyware or certain peer-to-peer programs and they aren't
as likely to know when particularly dangerous worms are circulating.
Still, the bottom line is that there is no bottom line. The decision
to grant local admin rights, like any other system administration decision,
is based on the need to further the goals of the organization while finding
a few spare hours to get home and see the family.
Thanks to everyone who took the time to write. Be sure to let me know
if you have especially good war stories on this or any other topic.
Contributing Editor Bill Boswell, MCSE, is the principal of Bill Boswell Consulting, Inc. He's the author of Inside Windows Server 2003 and Learning Exchange Server 2003 both from Addison Wesley. Bill is also Redmond magazine's "Windows Insider" columnist and a speaker at MCP Magazine's TechMentor Conferences.