RE: [ActiveDir] Do you make your users local admins on their PCs?

[Crawford, Scott]

Not that I have anything to add, but you wanted a consensus, so I’ll whole heartedly vote for everything Dan’s said.   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dan DeStefano Sent: Thursday, June 30, 2005 8:02 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Do you make your users local admins on their PCs?   It is a very poor idea to allow users local admin privileges on their machine. First of all, it is a security vulnerability and makes it much easier for a machine to be compromised by malware. Also, denying admin privileges will help mitigate most Windows vulnerabilities as most of them run in the security context of the locally logged-on user.   Another plus is that it allows you to more easily control locally-saved data: if users are only allowed to save data to one or two folder trees, then those are all you have to worry about backing up when you need to move the user.   I think it is a poor idea to allow users to install software on their machines. You should control all the software on all machines this way all the PCs can be kept in a known state, which makes troubleshooting problems much easier. Not to mention the fact that many programs that users tend to download/install will cause increased network traffic and network vulnerability; and these days many freeware programs will also install malware. _________________________   Daniel DeStefano PC Support Specialist   IAG Research 345 Park Avenue South, 12th Floor New York, NY 10010 T. 212.871.5262 F. 212.871.5300   www.iagr.net Measuring Ad Effectiveness on Television   The information contained in this communication is confidential, may be privileged and is intended for the exclusive use of the above named addressee(s). If you are not the intended recipient(s), you are expressly prohibited from copying, distributing, disseminating, or in any other way using any of the information contained within this communication. If you have received this communication in error, please contact the sender by telephone 212.871.5262 or by response via e-mail.   From: Rimmerman, Russ [mailto:[EMAIL PROTECTED] Sent: Thursday, June 30, 2005 8:35 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Do you make your users local admins on their PCs?   We're having a big discussion about users being local administrators on their PCs.  We've made them local admins in the past (on NT4 domain) because they needed to be able to install apps, and we kept running into issues that led back to them not having local admin rights. Is there easy way now that we're on a Win2k3 AD domain to take admin rights away but still ensure things work correctly?  What's the general consensus, do most of you give your users local admin rights? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~