RE: Impact of removing administrative rights in an enterprise running XP

Another great product which I have personally tested is Desktop
Authority by Scriptlogic.
This product will give you granular level control over your environment
as well as provide useful tools to achieve even greater control.

Mark Jackson - Infrastructure Architecture
Lead Desktop Architectural and Security Engineer

-----Original Message-----
From: Joshua Morehouse [mailto:JMOREHOUSE@xxxxxxx]
Sent: Thursday, July 27, 2006 8:10 AM
To: Drew Simonis; Focus-MS
Subject: RE: Impact of removing administrative rights in an enterprise
running XP


We are also investigating the process of removing users from the local
administrative group. In our research we've found and purchased a
product that will allow us to do so via AD GPO.

The product in question is Desktop Standard and will allow us to do the

* Remove all domain users from the local admin group by OU and other
* Set programs that need to run with administrative privileges to do so.
* For systems where users must have local admin privileges we can set
programs such as IE to run with lower rights while the user still has
local privileges.

More information on the product set can be found @

While this product will help us from a technical side, the harder thing
for us to overcome will be corporate culture.


-----Original Message-----
From: Drew Simonis [mailto:simonis@xxxxxxxxxx]
Sent: Thursday, July 27, 2006 9:54 AM
To: Focus-MS
Subject: Impact of removing administrative rights in an enterprise
running XP

Hello all,
I wonder if anyone on the list who might work for a good sized
enterprise (10,000+ seats) has gone through the excercise of removing
administrative rights from the user community?

Aside from the effort to inventory all applications and ensure that they
work with restricted permissions, I forsee that such an effort would
likely require changes to the entire support model. Instead of relying
on users to install their own software, it would need to be done for
them. New hardware would require intevention, etc.

If someone has completed this, was support a major new burden, or was it
not as difficult as it might be? If it was, how much of a burden was it
(+ desktop support headcount? +helpdesk calls?)?


This electronic message and all attachments transmitted with
it may contain confidential and legally privileged information
belonging to the sender. Please visit for important related
disclosures, by either following the attached hyperlink or
copying and pasting the URL into your internet browser.