For anybody wanting to address applications and their need/lack thereof for admin rights on machines, I highly recommend taking a look at the Application Compatibility Toolkit.
http://www.microsoft.com/technet/desktopdeployment/appcompat/toolkit.mspx You can save yourself a lot of work and time with it. Laura > -----Original Message----- > From: Jon R. Kibler [mailto:[EMAIL PROTECTED] > Sent: Thursday, July 27, 2006 11:09 AM > To: [email protected] > Cc: Drew Simonis > Subject: Re: Impact of removing administrative rights in an > enterprise running XP > > Drew Simonis wrote: > > Hello all, > > I wonder if anyone on the list who might work for a good > sized enterprise (10,000+ seats) has gone through the > excercise of removing administrative rights from the user community? > > > > Aside from the effort to inventory all applications and > ensure that they work with restricted permissions, I forsee > that such an effort would likely require changes to the > entire support model. Instead of relying on users to install > their own software, it would need to be done for them. New > hardware would require intevention, etc. > > > > If someone has completed this, was support a major new > burden, or was it not as difficult as it might be? If it > was, how much of a burden was it (+ desktop support > headcount? +helpdesk calls?)? > > > > -Ds > > Drew, > > Have not done it in as large of an organization as you > indicate, but have TRIED to do it in smaller organizations -- > and ran into MANY brick walls. It is still a > work-in-progress! Things are better, but we're not there yet > by any stretch at any organization that I am working with. > > The primary issue is that A LOT of applications > assume/require administrative privilege to work. In reality, > you can probably get many/most to run with less than admin > priv, but figuring out what is the minimum required is not an > easy task. And don't expect the application vendor to be any > help either! > > Trying to remove local admin priv is a trial-and-error > process. A lot of apps will work most of the time, then one > seldom-used feature breaks it. > > You would be surprised the apps that require privilege to > run... many big name ones, such as the Intuit product line. > There was a discussion on DShield a few months back on this > topic, and several people named names of applications with > privilege problems (but nothing close to scratching the surface!). > > Good luck. > > Oh, BTW, as you try this task, publishing a list of the > required minimum privilege for each application would be a > great help to everyone. I wanted to do that, but my clients > all objected. > > Jon > -- > Jon R. Kibler > Chief Technical Officer > Advanced Systems Engineering Technology, Inc. > Charleston, SC USA > (843) 849-8214 > > > > > > ================================================== > Filtered by: TRUSTEM.COM's Email Filtering Service > http://www.trustem.com/ > No Spam. No Viruses. Just Good Clean Email. > > > --------------------------------------------------------------------------- ---------------------------------------------------------------------------
