Re: Local Admin Rights

From: Dave Nickason [SBS MVP] (
Date: 03/18/04

Date: Thu, 18 Mar 2004 17:53:44 -0500

First of all, you would make them local administrators, not domain admins,
right? I can't imagine any reason why an app would require more than local
admin rights, no matter how badly written. Having them local admins rather
than domain admins doesn't help with the worm situation, installing
unauthorized software, etc. but at least it lessens your worry about what
they're doing to each other's machines and the server. You'd add the domain
users group to the local administrators group on each workstation in Local
Security Policy, not the domain-wide administrators group.

All that said, I'd fight with the vendor some more. I would tell them that
your company policy forbids users running with admin rights, which everyone
knows is contrary to good security practice. If you pursue it hard enough,
you may find out that you can get by with power user rights. I've run into
similar situations a couple of times, and with one exception the worst I've
seen is that I had to edit the permissions on a couple of registry keys to
make this work. If you can find out from the vendor what keys are causing
the problem (assuming it's that), you can extend the admin group permission
for those keys to power users, and that'll solve it. It seems likely that
the issue is either caused by the write permissions to the program's
registry keys, or to directory or file security, either of which could be

I've had one case where a program wouldn't run for power users, and the
vendor could not tell me why not. This program wasn't worth the effort of
trying to figure it out, so I returned it (I understand you may not have
that option in this case).

"Freud" <> wrote in message
> Hi:
> I have SBS 2000 running a small domain with W2K clients. Our main
> management software requires (annoyingly) that the users run with
> administrator rights. They suggest adding the Authenticated Users group
> to the Administrators group to allow anyone to log on to the domain and
> get full rights. I'm worried that this will leave all the hidden shares
> exposed to every other machine and that a worm could wreak havoc through
> this, but I haven't come up with a good solution. What I want is to give
> admin rights to the local machine only to any user who logs on to the
> domain. Any ideas?
> Thanks in advance,
> Freud