Re: Does anyone truly use Restricted User Accounts?

I just wanted to say X-L-ent reply Andrew. post a "how-to" or "White paper'
on smallbizserver.net ? This would be helpful to so many, you might have
'fixed' some programs that have yet to be tackeled. But heck, even MS didn't
folow its own guided with SBA, soooooo.

"Andrew M. Saucci, Jr." wrote:

> One of my new year's resolutions for last year was to get rid of
> local administrator privileges, after Jeff Middleton announced that it was
> one of his goals. I've been somewhat successful-- enough to plow forward,
> but still a long way to go. This year I deployed three networks without any
> local administrators. I also had one from last year that is still running
> fine. Three of those four networks have users running QuickBooks, one of the
> worst offenders. I know it can be done and I intend to do more of it. The
> biggest challenge is not really a technical challenge; with RegMon and
> FileMon I can crack any two-bit application that claims to need
> administrator privileges. The challenge is to convince users that they
> should let me lock down the workstations and install all software instead of
> letting the users do it themselves. That is especially difficult as a
> "retrofit" policy on networks that were originally deployed wide-open-- it
> can come across as a power grab or a way to make the user dependent upon me
> so that my boss' wallet gets fat. I hope to convince people that I'm just
> looking out for their best interests and not looking to increase revenue or
> power for my company. That's where maintaining good relationships with
> clients is important. Once I have a good track record with a client, I'm
> more likely to be seen as a benevolent healer instead of a meglomaniac.
>
> Finally, I now insist that my colleagues use the term,
> "administrator privileges." No one is born with "administrator rights." That
> sounds too much like "human rights." Privileges are granted to those who
> demonstrate a need for them. With clients, I try not to talk about
> administrator anything. I just say, "I'm going to lock the machine so that
> it can't get messed up." Explained like that, people are more willing to
> give it a try. Any time a workstation gets trashed with adware and spyware--
> I move in with my pitch. It also helps when I can promise to fix any
> problems that may arise, since I now have the tools to do it. Also important
> is to make the distinction between user accounts and users. I tell people,
> "I trust you but I don't trust anything that may happen to be running under
> your user account." Telling Linda that I don't trust her is a sure way to
> start a fistfight.
>
> Another alternative is to restrict Internet access. If someone has
> no Internet, I don't feel quite as bad about letting that person be an
> administrator, although it still bothers me. If I have an image of the
> workstation, that helps as well, since at least I'll have the tools to fix
> the workstation fast when it does get trashed.
>
>
> "Brian Williams" <BrianWilliams@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> news:391FECF1-6E58-4719-B3E5-399B60B6B111@xxxxxxxxxxxxxxxx
> > Hello, I've tried to implement Restricted User Accounts to protect our
> > workstations and network. Everytime I try to implement this something like
> > QuickBooks or the printer drivers, or some third party software require
> the
> > user to have local Admin rights.
> >
> > We also have a 30+ real estate agents in our office who use a local MLS
> > application to access and input their listings, this site requires ActiveX
> > and local admin rights.
> >
> > Has anyone truly and successfully implelmented Restricted User Accounts on
> > their workstations? If so, where am I going wrong here?
>
>
>
.

Relevant Pages

  • Re: Does anyone truly use Restricted User Accounts?
    ... local administrator privileges, after Jeff Middleton announced that it was ... is to make the distinction between user accounts and users. ... > workstations and network. ...
    (microsoft.public.windows.server.sbs)
  • Cant logon from workstation as Administrator
    ... now I can't logon to the server from any of the workstations as ... all other user accounts can login normally from the ... Administrator account that has this problem - and it has this problem from ...
    (microsoft.public.windows.server.sbs)
  • Re: Domain users unable to print to parralel printer
    ... Additionally I have disabled the logon scripts that maps drive automatically upon domain users login but did not help to fix the problem. ... I don't understand why a new created domain account with the same privileges as the existing users can print. ... Did you configure the printer as "Default printer" after installing with the administrator account? ... workstations and we encounter a very strange problem which we can't ...
    (microsoft.public.windows.server.networking)
  • Synchronizing problems, Icons not dissapearing, redirection proble
    ... I am running a Windows 2000 Server machine ... workstations are running Windows XP. ... The user accounts are located under the container. ... logged in to his account, in a different station or the same one, the icons ...
    (microsoft.public.windows.server.active_directory)
  • Re: How do manage your workstations?
    ... For the most part these functions require a local administrator rights. ... Therefore I have to logoff the regular user, then I logon as local administrator so I can update programs or add-in devices. ... However, if there are hundreds of workstations involved, it’s really time consuming! ... Maybe there is remote installation system that push program updates to the workstation and that system logons on as domain admin. ...
    (microsoft.public.windowsxp.general)