Granting Domain Users Local Admin Rights

We have historically done this on our Windows XP Pro/ Server 2003 SP2 AD
network: When a user is set up at a computer their domain login is added to
the local PC with administrator rights. Problems arise when the user goes to
another computer where they haven't been added as a local admin for local
admin rights are required for a couple of our programs to run.

So I began looking for an easier way to do this and discovered a couple of
options:

1. Add the Interactive Users group as to the local admin group
2. Add the Domain Users group to the local admin group

Does anyone know what the difference is? Interactive users are those
sitting at the PC that have authenticated (logged in). Domain users also
have to authenticate so why use one vs. the other.

Now the "big get". On our network we have never had an incident that
resulted from a user having local admin rights. I realize that we've been
lucky but in a small company without a bad history (people abusing the local
admin priveleges) what do we stand to gain or how are we protecting ourselves
by taking away the local admin rights for our users? Please be specific.

Thanks,

MJ

=?Utf-8?B?cG93bGF6?= <powlaz@discussions.microsoft.com> wrote in
news:74A9D91F-9978-4AF4-A6EB-C18757217D9C@microsoft.com:

> We have historically done this on our Windows XP Pro/ Server 2003
> SP2 AD network: When a user is set up at a computer their domain
> login is added to the local PC with administrator rights.
> Problems arise when the user goes to another computer where they
> haven't been added as a local admin for local admin rights are
> required for a couple of our programs to run.
>
> So I began looking for an easier way to do this and discovered a
> couple of options:
>
> 1. Add the Interactive Users group as to the local admin group
> 2. Add the Domain Users group to the local admin group
>
> Does anyone know what the difference is? Interactive users are
> those sitting at the PC that have authenticated (logged in).
> Domain users also have to authenticate so why use one vs. the
> other.
>
> Now the "big get". On our network we have never had an incident
> that resulted from a user having local admin rights. I realize
> that we've been lucky but in a small company without a bad history
> (people abusing the local admin priveleges) what do we stand to
> gain or how are we protecting ourselves by taking away the local
> admin rights for our users? Please be specific.
>

I work for a not-so-small company and our IT dept does things very
similar to you. Employees are given admin access to their own
machine via their domain login. Communal computers such as
conference room computers and training room computers usually include
"Domain Users" in the local admin group. Communal computers rarely
store data of consequence, so should it become contaminated or
otherwise screwed up, it is simply re-imaged by the IT department --
usually faster than debugging the problem. "Interactive" users can
include local "guest" logins so it is usually preferable for the
Domain to verify the credentials of someone given admin privilege.

HTH,
John

[Uncle_Nick]

All users getting Local Admin privileges ?
This is generally done as a workaround where an application is badly written and requires elevated privileges in order to run correctly - and there is no resource available to analyse the minimum extra privileges actually needed.

The command I use for these unpleasant needs is
Net Localgroup administrators "authenticated users" /add
as I agree with John that "Interactive Users" is a less secure object to use.... but in a multi-domain environment, "Domain Users" is insufficient.

As a user with local admin privileges, I could inadvertently or deliberately install software that could:
- compromise the machine and/or the network
- create conflicts with company software, reducing employee productivity
- compromise your company's reputation
- compromise your company's obligations under sexual harrassment laws / ISP acceptable usage rules etc
- just fill the machine with crap

As a malicious user with admin privileges I could flush my eventlogs and text logs to mask my actions
As a clumsy user with admin privileges
- I could move or delete files+folders and render the machine inconvenient, slow or broken
- save data in obscure locations and then forget where it was
- make profile changes with global ramifications
- disrupt system updating, change time/date, disrupt shared resources
....all of which increase IT Support work, diverting limited resources away from more significant activities

In general, identify what activities require elevated privileges; scope the exact extra privileges required; check if being a memeber of the local Power Users group is a good match, and if not, build a new local group with the necessary additional privileges and add your domain users to that group

good luck
Nick

Thank you both for your replies. I've found this issue particularly
difficult to make a decision about because for every person who is against
this practice there is another person who is for it.

Uncle_Nick - thanks for the specifics. These are key to weighing my
options. I have found work arounds for the programs that we have that
require admin priveleges to be run and today I will experiment with running
our login script with admin priveleges which should be the final detail
needed before switching everyone over.

Your reply did prompt another question or two. In a multi-domain
environment how is giving Domain Users local admin rights insufficient? We
have only one domain and I tend to think "small".
Am I wrong in saying that in a single domain environment there really is no
difference between Authenticated Users and Domain Users? Also, do I
understand correctly that Guest accounts don't authenticate against AD and
this is why they are safer?

Thanks again for the information.

MJ
Regarding local priveleges
"Uncle_Nick" wrote:

>
> All users getting Local Admin privileges ?
> This is generally done as a workaround where an application is badly
> written and requires elevated privileges in order to run correctly - and
> there is no resource available to analyse the minimum extra privileges
> actually needed.
>
> The command I use for these unpleasant needs is
> Net Localgroup administrators "authenticated users" /add
> as I agree with John that "Interactive Users" is a less secure object
> to use.... but in a multi-domain environment, "Domain Users" is
> insufficient.
>
> As a user with local admin privileges, I could inadvertently or
> deliberately install software that could:
> - compromise the machine and/or the network
> - create conflicts with company software, reducing employee
> productivity
> - compromise your company's reputation
> - compromise your company's obligations under sexual harrassment laws
> / ISP acceptable usage rules etc
> - just fill the machine with crap
>
> As a malicious user with admin privileges I could flush my eventlogs
> and text logs to mask my actions
> As a clumsy user with admin privileges
> - I could move or delete files+folders and render the machine
> inconvenient, slow or broken
> - save data in obscure locations and then forget where it was
> - make profile changes with global ramifications
> - disrupt system updating, change time/date, disrupt shared resources
> ....all of which increase IT Support work, diverting limited resources
> away from more significant activities
>
> In general, identify what activities require elevated privileges;
> scope the exact extra privileges required; check if being a memeber of
> the local Power Users group is a good match, and if not, build a new
> local group with the necessary additional privileges and add your domain
> users to that group
>
> good luck
> Nick
>
>
> --
> Uncle_Nick
> ------------------------------------------------------------------------
> Uncle_Nick's Profile: http://forums.techarena.in/members/71921.htm
> View this thread: Granting Domain Users Local Admin Rights
>
> http://forums.techarena.in
>
>

I support a number of sites, and policies vary, but basically if users are
'limited' then you need some form of full-featured 'push' software
deployment, since it becomes a nightmare to have to install software under an
Administrator account, and then have to configure the software a second time
under the actual useraccount. After a few rounds of that you'll do damage to
the nearest wall with your cranium.

Being a limited user does have advantages in that it limits the scope of the
damage which malware can do. Thus (given standard NTFS permissions) the
malware cannot infiltrate the Windows or Program Files folders.

The key point is never to make ordinary users Domain Admins. I know of one
site where that is the case, and even my demonstration that I could, if I
wished, trash the server from any desktop didn't seem to sink-in. It's still
like that. Again, it was made like that to get some hack piece of code
working.

"powlaz" wrote:

> Thank you both for your replies. I've found this issue particularly
> difficult to make a decision about because for every person who is against
> this practice there is another person who is for it.
>

Anteaus, thanks. I didn't spend that much time thinking about software
upgrades or additions but that's exactly what I'm working on right now. Can
you give me an example of a full-featured 'push' software deployment program?
Fortunately I'm at least swift enough to have not made everyone a Domain
Admin. The little "tightening up" that I've done though was met with kicking
and screaming. Everyone really liked the freedom that they were given by the
guy who set the network up.

MJ

"Anteaus" wrote:

> I support a number of sites, and policies vary, but basically if users are
> 'limited' then you need some form of full-featured 'push' software
> deployment, since it becomes a nightmare to have to install software under an
> Administrator account, and then have to configure the software a second time
> under the actual useraccount. After a few rounds of that you'll do damage to
> the nearest wall with your cranium.
>
> Being a limited user does have advantages in that it limits the scope of the
> damage which malware can do. Thus (given standard NTFS permissions) the
> malware cannot infiltrate the Windows or Program Files folders.
>
> The key point is never to make ordinary users Domain Admins. I know of one
> site where that is the case, and even my demonstration that I could, if I
> wished, trash the server from any desktop didn't seem to sink-in. It's still
> like that. Again, it was made like that to get some hack piece of code
> working.
>
> "powlaz" wrote:
>
> > Thank you both for your replies. I've found this issue particularly
> > difficult to make a decision about because for every person who is against
> > this practice there is another person who is for it.
> >
>