Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations TouchToneTommy on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Best practices for workstation users who need Admin

Status
Not open for further replies.
cnull

cnull

MIS
Oct 30, 2003
56
US
I have a situation where most users need to have administrator privileges on their local PC. All PC's are on a domain so I made the assumption that I could just add DOMAIN\USERS to the administrator group of every PC. That was dumb because I just realized that now everyone has Admin to every PC on the network. For example everyone can just type \\hostname\c$ and get full access to every file on the PC, including the admins, managers etc... I need to fix this quickly. What is the best solution so that the users can remain a local admin and yet not have access to anyone else’s files?

Thanks!
 
Sort by date Sort by votes
Remove the users group from the admin users and be more granualar.

Will the stores guy really need to log on to the MD's laptop? No.

But all stores guys will need admin rights to the stores PC so add the stores group to the pc then if you need to add others later.

Iain
 
Upvote 0 Downvote
Well grandular is good, but I was looking for something that is a little less work in the long run. For me it would be allot of work to maintain different groups in AD for each section. Our department is way too big.

I found another posible solution, Authenticated Users. I read this article about it and it seams that it might be the solution.


Does anyone have any experience with Authenticated users group? How does it work for you? Will I run into any problems?

Thanks!
 
Upvote 0 Downvote
Yes, you are right. That looks like it might work. I also like that users cannot remove domain admins from the local admin group. We have some programmers that feel they are above the law and have done that. I feel much more powerfull now!!! LOL

Thanks! Good post 58sniper.
 
Upvote 0 Downvote
I agree with Pat and would tell you that there is little reason for any user (even developers) to need to be admin on their box.

Setup security properly. Give them write rights to the program folders they need and change permissions to the registry keys/hives they need. That will supplement the need for admin rights in most situations.

This is often a lot of work the FIRST time as you work to get it right, but once you have the settings it is easy to maintain and set. For the NTFS permissions you can even create a script to set them up so it is just a double click operation.

I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Abdullah Al Maruf
  • Locked
  • Question
Telnet help for
Replies
2
Views
837
gbaughma
gbaughma
MattM1975
  • Locked
  • Question
Domain Admin Logon 1
Replies
2
Views
391
ADB100
ADB100
goombawaho
  • Locked
  • Question
Microsoft Azure Active Directory - Backup Admin Account 1
Replies
2
Views
969
goombawaho
goombawaho
Teo En Ming
  • Locked
  • Question
Actions taken during Disaster Recovery for client whose IBM Megaraid controller has failed
Replies
2
Views
689
fightaccording
fightaccording
ADB100
  • Locked
  • Question
Single Windows 7 Ultimate workstation not applying Registry, Drive Map or Printers GPO settings
Replies
1
Views
458
technome
technome

Part and Inventory Search

Sponsor

Back
Top