RE: Impact of removing administrative rights in an enterprise running XP



Another great product which I have personally tested is Desktop
Authority by Scriptlogic.
This product will give you granular level control over your environment
as well as provide useful tools to achieve even greater control.

Mark Jackson - Infrastructure Architecture
Lead Desktop Architectural and Security Engineer


-----Original Message-----
From: Joshua Morehouse [mailto:JMOREHOUSE@xxxxxxx]
Sent: Thursday, July 27, 2006 8:10 AM
To: Drew Simonis; Focus-MS
Subject: RE: Impact of removing administrative rights in an enterprise
running XP

Morning,

We are also investigating the process of removing users from the local
administrative group. In our research we've found and purchased a
product that will allow us to do so via AD GPO.

The product in question is Desktop Standard and will allow us to do the
following.

* Remove all domain users from the local admin group by OU and other
filters.
* Set programs that need to run with administrative privileges to do so.
* For systems where users must have local admin privileges we can set
programs such as IE to run with lower rights while the user still has
local privileges.

More information on the product set can be found @
http://www.desktopstandard.com.

While this product will help us from a technical side, the harder thing
for us to overcome will be corporate culture.

Josh

-----Original Message-----
From: Drew Simonis [mailto:simonis@xxxxxxxxxx]
Sent: Thursday, July 27, 2006 9:54 AM
To: Focus-MS
Subject: Impact of removing administrative rights in an enterprise
running XP

Hello all,
I wonder if anyone on the list who might work for a good sized
enterprise (10,000+ seats) has gone through the excercise of removing
administrative rights from the user community?

Aside from the effort to inventory all applications and ensure that they
work with restricted permissions, I forsee that such an effort would
likely require changes to the entire support model. Instead of relying
on users to install their own software, it would need to be done for
them. New hardware would require intevention, etc.

If someone has completed this, was support a major new burden, or was it
not as difficult as it might be? If it was, how much of a burden was it
(+ desktop support headcount? +helpdesk calls?)?

-Ds

------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
This electronic message and all attachments transmitted with
it may contain confidential and legally privileged information
belonging to the sender. Please visit
http://www.fbr.com/ecdisclosures.asp for important related
disclosures, by either following the attached hyperlink or
copying and pasting the URL into your internet browser.

------------------------------------------------------------------------
---
------------------------------------------------------------------------
---




---------------------------------------------------------------------------
---------------------------------------------------------------------------



Relevant Pages

  • RE: Impact of removing administrative rights in an enterpriserunning XP
    ... Impact of removing administrative rights in an enterpriserunning XP ... Impact of removing administrative rights in an enterprise ... Set programs that need to run with administrative privileges to do so. ... For systems where users must have local admin privileges we can set ...
    (Focus-Microsoft)
  • Re: users removing Domain Admin from local admin group
    ... > The users in my organization all have local admin ... > privileges on their machines, and some of them abuse this ... > has limitations -- is there a way to tweak the security ... > policy so that the user has all administrative rights ...
    (microsoft.public.win2000.security)
  • Re: users removing Domain Admin from local admin group
    ... > The users in my organization all have local admin ... > privileges on their machines, and some of them abuse this ... > policy so that the user has all administrative rights ...
    (microsoft.public.win2000.security)
  • users removing Domain Admin from local admin group
    ... The users in my organization all have local admin ... privileges on their machines, and some of them abuse this ... privilege to remove the domain admin account from the ... policy so that the user has all administrative rights ...
    (microsoft.public.win2000.security)
  • Re: Power Management Settings
    ... >>on that PC do not have administrative rights. ... >Obvious suggestion: Make the user a local admin, ... >the user from the local admin group. ... >Might also post in a scripting group for suggestions on ...
    (microsoft.public.win2000.security)