Administrative Privelages Issue


  1. Posts : 6
    Windows 7 64bit
       #1

    Administrative Privelages Issue


    Dear Windows 7 IT Community,
    Please comment only if you are a seasoned system administrator. That being said, our office is configured with Windows 7 64 bit workstations, Public Firewall settings and Symantec Endpoint Protection. Users log in as local standard users. I keep getting complaints that the users would like to administrate their own machines and would like an administrative account in addition to their standard user account to run updates, install software, etc. Despite being standard users and having to call IT for support with 3rd party software updates, and installs, we have had a few minor virus/trojan incidents. Running the AV full scan removed them.
    As the IT admin, I feel safer if the users did not have administrative abilities even though it would be a separate account. I wanted to ask your professional opinion on this.
    Thanks
      My Computer


  2. Posts : 1,426
    7 Pro
       #2

    Keep them off of Administrative privledges if you have the chance... Once users' have been spoiled with privledges it will be a battle taking them away again.

    Software installs can be published through GPO, so they shouldn't be calling for installations that much.
    Updates (win or 3rd party) can all be processed through GPO or WSUS as well.

    Any virus or malware, as I'm sure you are aware, will do 100x times the damage to the machine/network if the user is an admin... If the user needs rdp access, move them to "Remote Users" group instead of Standard.
      My Computer


  3. Posts : 6
    Windows 7 64bit
    Thread Starter
       #3

    Yes, brady you are right, once privelaged, it is hard to take them away. That is why we are having the debate acutally

    Can you please restate your argument taking into consideration there is no AD (yet), only local accounts. I'd like to hear your opinion and perhaps some documentation to back it up so that I can use it at the team IT meeting.
      My Computer


  4. Posts : 6
    Windows 7 64bit
    Thread Starter
       #4

    Also, they do not want to be logged in as admin as it states in question. They want to be able to run the updates for third party software and periodic software installs...
    Last edited by askWinters; 29 Nov 2010 at 13:59. Reason: fix typo
      My Computer


  5. Posts : 1,426
    7 Pro
       #5

    Without running in a domain environment (hopefully you have only a handful of computers in this setup), my setup of the machines would differ in the following ways:

    Create a working image with all software suites pre installed (this should reduce the need of 3rd party installations) - All work related installations should be done to the image and not the machine(s).

    3rd party updates can be done via login scripts stored in the "Startup folder" or tsk scheduler to runas local admin when they first login... these scripts will launch the program with administrative privledges to allow the updates.
      My Computer


  6. Posts : 1,849
    Windows 7 x86/x64, Server 2008r2, Web Server 2008
       #6

    As Brady stated, the user is more dangerous than any virus can be.
    This is because the user can instal malicious software as well as leak the password not thinking its important or night at the local pub. (with the password god know what can happen from there)

    Brady also had a good idea with the runas set up for the updates.
      My Computer


 

  Related Discussions
Our Sites
Site Links
About Us
Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 02:26.
Find Us