Re: Granting Domain Users Local Admin Rights
- From: powlaz <powlaz@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 21 Apr 2009 05:40:02 -0700
Thank you both for your replies. I've found this issue particularly
difficult to make a decision about because for every person who is against
this practice there is another person who is for it.
Uncle_Nick - thanks for the specifics. These are key to weighing my
options. I have found work arounds for the programs that we have that
require admin priveleges to be run and today I will experiment with running
our login script with admin priveleges which should be the final detail
needed before switching everyone over.
Your reply did prompt another question or two. In a multi-domain
environment how is giving Domain Users local admin rights insufficient? We
have only one domain and I tend to think "small".
Am I wrong in saying that in a single domain environment there really is no
difference between Authenticated Users and Domain Users? Also, do I
understand correctly that Guest accounts don't authenticate against AD and
this is why they are safer?
Thanks again for the information.
MJ
Regarding local priveleges
"Uncle_Nick" wrote:
.
All users getting Local Admin privileges ?
This is generally done as a workaround where an application is badly
written and requires elevated privileges in order to run correctly - and
there is no resource available to analyse the minimum extra privileges
actually needed.
The command I use for these unpleasant needs is
Net Localgroup administrators "authenticated users" /add
as I agree with John that "Interactive Users" is a less secure object
to use.... but in a multi-domain environment, "Domain Users" is
insufficient.
As a user with local admin privileges, I could inadvertently or
deliberately install software that could:
- compromise the machine and/or the network
- create conflicts with company software, reducing employee
productivity
- compromise your company's reputation
- compromise your company's obligations under sexual harrassment laws
/ ISP acceptable usage rules etc
- just fill the machine with crap
As a malicious user with admin privileges I could flush my eventlogs
and text logs to mask my actions
As a clumsy user with admin privileges
- I could move or delete files+folders and render the machine
inconvenient, slow or broken
- save data in obscure locations and then forget where it was
- make profile changes with global ramifications
- disrupt system updating, change time/date, disrupt shared resources
....all of which increase IT Support work, diverting limited resources
away from more significant activities
In general, identify what activities require elevated privileges;
scope the exact extra privileges required; check if being a memeber of
the local Power Users group is a good match, and if not, build a new
local group with the necessary additional privileges and add your domain
users to that group
good luck
Nick
--
Uncle_Nick
------------------------------------------------------------------------
Uncle_Nick's Profile: http://forums.techarena.in/members/71921.htm
View this thread: http://forums.techarena.in/windows-security/1162763.htm
http://forums.techarena.in
- Follow-Ups:
- Re: Granting Domain Users Local Admin Rights
- From: Anteaus
- Re: Granting Domain Users Local Admin Rights
- References:
- Granting Domain Users Local Admin Rights
- From: powlaz
- Re: Granting Domain Users Local Admin Rights
- From: Uncle_Nick
- Granting Domain Users Local Admin Rights
- Prev by Date: Re: Do an automatic login of a selected user
- Next by Date: Re: Do an automatic login of a selected user
- Previous by thread: Re: Granting Domain Users Local Admin Rights
- Next by thread: Re: Granting Domain Users Local Admin Rights
- Index(es):
Relevant Pages
|
