Click here to get back home

Local Accounts vs Domain Accounts
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
Local Accounts vs Domain Accounts Dan 04-14-2006
Posted by Dan on April 14, 2006, 3:48 pm
Please log in for more thread options
 We have a lot of programs that really require power users and would like to
give some users admins rights locally to their machine.

I was reading and saw a recomendation of the following:
Create a like a local_admin and Local_poweruser as a security group on the
domain and then give these groups on the local machine.

I like this idea but the problem I see if say Mike is in the local_admin
group on the domain and he logs into any pc he would have local_admin on that
pc. I would only want him to be local_admin on his pc.

What we have right now is creating two accounts for the user 1 for domain
and 1 for pc. However, i would like to avoid this.

Any suggestions are greatly appreciated.
Thanks in advance

Posted by Miha Pihler [MVP] on April 14, 2006, 4:09 pm
Please log in for more thread options
 Hi Dan,

You can use domain accounts and give these domain accounts only power users
(or local administrator) permission on those PCs that user will use. This
can simply be done by adding appropriate user account to appropriate local
group (e.g. Administrators or Power Users). These groups exist by default on
all computers.

Still I would love to warn you against it. Users with such permissions will
get infected with malware, spaywre, viruses much easier compared to users
who are not administrators on their computers.

If you have software that requires elevated privileges you have few options.
My first recommendation is to do some investigation what does this software
do to require these permissions. You can use tools such as Filemon and
Regmon (both can be downloaded from www.sysinternals.com for free) to see
what the software is doing -- if it is trying to e.g. write to c:\windows
folder... If it does, you can change permissions so that users have
permission to write to this path or registry...
Second recommendation -- talk to you software vendor to fix the software.
This may sound silly -- but their software is "broken" ...

--
Mike
Microsoft MVP - Windows Security

> We have a lot of programs that really require power users and would like
> to
> give some users admins rights locally to their machine.
>
> I was reading and saw a recomendation of the following:
> Create a like a local_admin and Local_poweruser as a security group on the
> domain and then give these groups on the local machine.
>
> I like this idea but the problem I see if say Mike is in the local_admin
> group on the domain and he logs into any pc he would have local_admin on
> that
> pc. I would only want him to be local_admin on his pc.
>
> What we have right now is creating two accounts for the user 1 for domain
> and 1 for pc. However, i would like to avoid this.
>
> Any suggestions are greatly appreciated.
> Thanks in advance



Posted by Roger Abell [MVP] on April 14, 2006, 4:52 pm
Please log in for more thread options

> We have a lot of programs that really require power users and would like
> to
> give some users admins rights locally to their machine.
>
> I was reading and saw a recomendation of the following:
> Create a like a local_admin and Local_poweruser as a security group on the
> domain and then give these groups on the local machine.
>
> I like this idea but the problem I see if say Mike is in the local_admin
> group on the domain and he logs into any pc he would have local_admin on
> that
> pc. I would only want him to be local_admin on his pc.
>
> What we have right now is creating two accounts for the user 1 for domain
> and 1 for pc. However, i would like to avoid this.
>
> Any suggestions are greatly appreciated.
> Thanks in advance

Then do not put everyone in a custom local_admin group that is
admin on all client systems, instead - if you really really must -
make the user a member on their machine only.

That said, this is a bad idea in general, and often can be avoided
with some extra initial work to determine why they need to be an
admin and fixing it so they can do what they should without this.

As a general rule, a person should use day-to-day the least
powered account that lets them do what they need to do on
a day-to-day basis. If a user occassionally needs to do something
else that requires more authority, provide them a way that does
not entail making their day-to-day use have far more power than
is needed.



Posted by Joe Richards [MVP] on April 14, 2006, 5:04 pm
Please log in for more thread options
Absolutely concur with Roger here.

Most of the time people give out local admin for some silly application that
wasn't written properly and with a little work they could have found out that
they simply needed to give a little more rights on a single registry key or a
file and bitch at the vendor for the admin req.


--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm



Roger Abell [MVP] wrote:
>> We have a lot of programs that really require power users and would like
>> to
>> give some users admins rights locally to their machine.
>>
>> I was reading and saw a recomendation of the following:
>> Create a like a local_admin and Local_poweruser as a security group on the
>> domain and then give these groups on the local machine.
>>
>> I like this idea but the problem I see if say Mike is in the local_admin
>> group on the domain and he logs into any pc he would have local_admin on
>> that
>> pc. I would only want him to be local_admin on his pc.
>>
>> What we have right now is creating two accounts for the user 1 for domain
>> and 1 for pc. However, i would like to avoid this.
>>
>> Any suggestions are greatly appreciated.
>> Thanks in advance
>
> Then do not put everyone in a custom local_admin group that is
> admin on all client systems, instead - if you really really must -
> make the user a member on their machine only.
>
> That said, this is a bad idea in general, and often can be avoided
> with some extra initial work to determine why they need to be an
> admin and fixing it so they can do what they should without this.
>
> As a general rule, a person should use day-to-day the least
> powered account that lets them do what they need to do on
> a day-to-day basis. If a user occassionally needs to do something
> else that requires more authority, provide them a way that does
> not entail making their day-to-day use have far more power than
> is needed.
>
>

Posted by Roger Abell [MVP] on April 15, 2006, 2:10 am
Please log in for more thread options
I very much agree with the ending comment that people absolutely
need to let the software vendors hear about how inadequate their
software's out-of-the-box needs are.

Far too many admins have to re-invent the tweaks that the vendor
should have not made necessary - and far far too many more do
not bother seeking out those tweaks and give out admin instead.


> Absolutely concur with Roger here.
>
> Most of the time people give out local admin for some silly application
> that wasn't written properly and with a little work they could have found
> out that they simply needed to give a little more rights on a single
> registry key or a file and bitch at the vendor for the admin req.
>
>
> --
> Joe Richards Microsoft MVP Windows Server Directory Services
> Author of O'Reilly Active Directory Third Edition
> www.joeware.net
>
>
> ---O'Reilly Active Directory Third Edition now available---
>
> http://www.joeware.net/win/ad3e.htm
>
>
>
> Roger Abell [MVP] wrote:
>>> We have a lot of programs that really require power users and would like
>>> to
>>> give some users admins rights locally to their machine.
>>>
>>> I was reading and saw a recomendation of the following:
>>> Create a like a local_admin and Local_poweruser as a security group on
>>> the
>>> domain and then give these groups on the local machine.
>>>
>>> I like this idea but the problem I see if say Mike is in the local_admin
>>> group on the domain and he logs into any pc he would have local_admin on
>>> that
>>> pc. I would only want him to be local_admin on his pc.
>>>
>>> What we have right now is creating two accounts for the user 1 for
>>> domain
>>> and 1 for pc. However, i would like to avoid this.
>>>
>>> Any suggestions are greatly appreciated.
>>> Thanks in advance
>>
>> Then do not put everyone in a custom local_admin group that is
>> admin on all client systems, instead - if you really really must -
>> make the user a member on their machine only.
>>
>> That said, this is a bad idea in general, and often can be avoided
>> with some extra initial work to determine why they need to be an
>> admin and fixing it so they can do what they should without this.
>>
>> As a general rule, a person should use day-to-day the least
>> powered account that lets them do what they need to do on
>> a day-to-day basis. If a user occassionally needs to do something
>> else that requires more authority, provide them a way that does
>> not entail making their day-to-day use have far more power than
>> is needed.
>>


Similar ThreadsPosted
[Win2003Server] Lost local accounts on domain controler October 17, 2005, 9:39 am
Windows 2000 local accounts November 15, 2005, 11:29 am
copying local user accounts from one win2k server to another November 4, 2005, 8:38 am
Domain user accounts migration August 1, 2005, 1:16 pm
Disabled Domain Computer Accounts September 20, 2006, 4:09 pm
IEEE 802.1x authentication for domain user accounts only May 21, 2007, 2:30 pm
Granting domain accounts access to a workgroup resource September 8, 2006, 12:13 am
Domain authenticating non-domain accounts February 22, 2008, 9:14 am
Hacker locking my accounts March 16, 2008, 5:02 pm
passwords Service accounts and services August 15, 2006, 6:41 pm

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap