Dick Venema wrote: > Is it not supposed to be an protection measure against any virus and > spyware. > > We are supporting networks with around 10 users. > If I understand it well enough, it is impossible to manage pc's > without direct admin rights. > > The most isseus are with installing applications. > I tought that Microsoft and with them many other people almost > ordered everybody to get rid of those admin rights. > > But from the reactions I hear, everybody complains. Are there success > stories? > > Dick Venema > Venema Advies >
No one on any of the networks I support has admin access. There is almost never a need for full admin privs. Some people have power user privs for programs like AutoCAD and others. For most applications, general user privs are fine. Anything more and you can simply modify permissions on the relevant folders/files/registry settings as necessary to avoid granting elevated privs. It has always been my opinion that this has been the best approach. As soon as W2K was released I was ecstatic to be able to have tighter control over network security. Windows98 was fun and all, but manually changing those settings with Policy Editor (poledit) was a pain in neck if you didn't get it right. Get Upper Management approval/backing along with an Acceptable Usage Policy and your users will adapt and comply. Plan for remote desktop support. I like Remote Desktop and VNC. As for the process, break down the PC's into groups by departments (maybe a good time to restructure AD and add some OU's). Take a methodical approach, documenting the pertinent programs used in each department and how they interact with the system. Some specialty software may require tweaking, but I'd be most everyone is running similar software that does not require any admin rights whatsoever. Use Group Policy to roll out the same settings to the individual departments should they require anything special. If it was me, I'd probably want to overkill the project and reformat all machines. Now that your users have had admin rights on their box, you can no longer be sure that the integrity of the system has not been compromised. Utilize some disk imaging solutions for faster deployment. In fact, that is EXACTLY what I did in my current position. Everyone here is running fine without any problems whatsoever. Good Luck with your project! JMB --------------------------------------------------------------------------- ---------------------------------------------------------------------------
