Re: Automatically making AD users local administrators on computers in SBS 2003

Thanks everyone, for the excellent discussion.
I am in total agreement that it is best practice to adhere to a "least is
best" when assigning user rights. It used to be that a company policy was
enough to prevent misuse, but not anymore given the increasing presence of
malicious software installing itself by impersonating the currently logged
on user.
My goal is to give some control back to those clients requesting it and at
the same time protect them from unwanted malicious software. I believe that
implementing firewalls, antivirus, antispyware, patching, and company usage
policy are fundamental to good security. These are relatively automatic and
do not require an administrator's ongoing presence.

I think I will set up an account as Chad suggested using option 2 and
provide the client this account and password. When an employee needs to
install some new software that requires local administrative rights, they
can use this special local administrator account. I suppose you could set up
everyone with a second account having local administrative rights to use for
software installation. The incentive to not use their local administrative
account except for software installation would be their email not available
under that account.

I would like to find a simpler, more transparent method that would allow
programs that require local administrative rights to install correctly from
a logon script. Is anyone familiar with EPAL (Elevated Privileges
Application Launcher)?
http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=CF3CC921-9B8E-4266-A905-2E2A20217CE0

I also ran across this product which might provide a solution.
http://www.emco.is/tutorials/runasprofessional/how_to_create_runas_action/how_to_create_runas_action.html

I suppose Microsoft SMS offers a solution to this problem although a little
pricey for my clientele.

Thanks to all,
Bob

"Chad A. Gross [SBS MVP]" <chad.gross@xxxxxxxxxxxxxxxxxxxxxxx> wrote in
message news:uqNcNt3QFHA.244@xxxxxxxxxxxxxxxxxxxxxxx
> But that gets cumbersome . . . e.g. you've already deployed your SBS &
> workstations (via ConnectComputer) - and three months later you have a new
> user that you want to be a local Admin on all workstations (which I'll
> point out up front isn't a great idea anyway . . . stupid insecure apps
> . . . but I digress . . . ) There's no additional benefit to re-running
> the ConnecetComuter wizard on each machine - because if you have to touch
> each workstation, why not just add the user as an Admin versus running the
> ConnectComputer wizard?
>
> In this scenario, you have three options - and they'll all involve
> touching each workstation - but you'll be good to go moving forward.
>
> 1) On each PC, add the INTERACTIVE group to the Administrators group.
> This will automatically give each user that logs in local Admin rights.
> Downside is that if you ever want a user to not have local admin rights,
> you won't be able to restrict them as long as you have this configuration.
>
> 2) Create a Security Group within AD (e.g. Local Admins). On each
> workstation, add the domain Local Admins group you created to the local
> Administrators group. Then on your SBS, add your existing users to the
> Local Admins group, and create a new user template that includes Local
> Admins group membership. When you create a new user, use the custom
> template and they'll be included in the Local Admins security group, which
> will give them local admin rights on the machines where you added the
> Local Admins group to the local Administrators group.
>
> 3) Preferred solution: Don't give users local admin rights. Find your
> problem apps that don't run as a restricted user and start nagging the
> vendor. Ask why they find exposing your business to undue risk as a
> justified business practice on their part. Find what directories / reg
> keys those apps want access to and tweak the permissions accordingly to
> allow restricted users to be able to access those locations (and thus run
> the problem apps).
>
> --
>
> Chad A. Gross - SBS MVP
> SBS ROCKS!
>
> www.msmvps.com/cgross
> www.gosbs.org
>
>
> Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote:
>> Run the connect computer wizard and that's exactly what is done.
>>
>> Bob Genestet wrote:
>>> Is there any way to automatically add new AD users as local
>>> administrators to each client computer. I tried to rerun the
>>> "Network Configuration Wizard" to add newly added multiple AD users
>>> to client computers except that the wizard will not run again if it
>>> detects the computer is already a member of the domain. It would be
>>> nice to have the server to automatically assign local rights when a
>>> new user logs on at a computer. Is this possible? Thanks,
>>> Bob
>
>


.

Relevant Pages

  • RE: Why should we disable local administrator accounts?
    ... I understand that you have concerns on disabling local Administrator ... Account on client workstations in SBS domain. ... At least if your local admin passwords are ...
    (microsoft.public.windows.server.sbs)
  • Re: Change local admin passwords on all domain PCs
    ... Again, another desktop deployment question... ... I have seen companies assign the local Administrator password during the build process. ... They also have a domain user account, which is added to the local Administrators group, that has the necessary permissions to join the PC to the domain and perform post-installation tasks. ... How do you handle it with saving the local admin password, when you have to logon locally without the domain? ...
    (microsoft.public.windows.server.active_directory)
  • Re: Preventing Users from removing their PC from the Domain
    ... It is the machine local admin that controls disposition of the machine ... valid domain credentials were or were not provided so that the ... account, but you will notice the object displayed with the round red x ... if you are logged on as a local administrator. ...
    (microsoft.public.win2000.security)
  • Re: Automatically making AD users local administrators on computers in SBS 2003
    ... You have to remember that even though you give the user a different account ... to install software and then they logoff and back in as themselves, ... > can use this special local administrator account. ... >> This will automatically give each user that logs in local Admin rights. ...
    (microsoft.public.windows.server.sbs)
  • Re: prevent access to other files
    ... How do you make the domain user account local ... Microsoft MVP (Windows Server System: ... > the problem is:-any user who has a local administrator ... if so, use a unique local admin account name on each machine, ...
    (microsoft.public.windowsxp.security_admin)