Administrative Privelages Issue

[askWinters]

Dear Windows 7 IT Community,
Please comment only if you are a seasoned system administrator. That being said, our office is configured with Windows 7 64 bit workstations, Public Firewall settings and Symantec Endpoint Protection. Users log in as local standard users. I keep getting complaints that the users would like to administrate their own machines and would like an administrative account in addition to their standard user account to run updates, install software, etc. Despite being standard users and having to call IT for support with 3rd party software updates, and installs, we have had a few minor virus/trojan incidents. Running the AV full scan removed them.
As the IT admin, I feel safer if the users did not have administrative abilities even though it would be a separate account. I wanted to ask your professional opinion on this.
Thanks

 

[brady]

Keep them off of Administrative privledges if you have the chance... Once users' have been spoiled with privledges it will be a battle taking them away again.

Software installs can be published through GPO, so they shouldn't be calling for installations that much.
Updates (win or 3rd party) can all be processed through GPO or WSUS as well.

Any virus or malware, as I'm sure you are aware, will do 100x times the damage to the machine/network if the user is an admin... If the user needs rdp access, move them to "Remote Users" group instead of Standard.

 

[askWinters]

Yes, brady you are right, once privelaged, it is hard to take them away. That is why we are having the debate acutally

Can you please restate your argument taking into consideration there is no AD (yet), only local accounts. I'd like to hear your opinion and perhaps some documentation to back it up so that I can use it at the team IT meeting.

 

[askWinters]

Also, they do not want to be logged in as admin as it states in question. They want to be able to run the updates for third party software and periodic software installs...

 

[brady]

Without running in a domain environment (hopefully you have only a handful of computers in this setup), my setup of the machines would differ in the following ways:

Create a working image with all software suites pre installed (this should reduce the need of 3rd party installations) - All work related installations should be done to the image and not the machine(s).

3rd party updates can be done via login scripts stored in the "Startup folder" or tsk scheduler to runas local admin when they first login... these scripts will launch the program with administrative privledges to allow the updates.

 

[mckillwashere]

As Brady stated, the user is more dangerous than any virus can be.
This is because the user can instal malicious software as well as leak the password not thinking its important or night at the local pub. (with the password god know what can happen from there)

Brady also had a good idea with the runas set up for the updates.