No way, no how. We don't allow users to install apps at all. All software installs have to be done by IT and approved by the user's manager and the IT staff. Too many people wanted to put in their little apps and having their manager have to approve the dancing pigs stopped most of it. When people complain, we remind them that the PC is a company tool, not their toy. Any required company apps are installed by IT. We run in a relatively secure environment with standardized desktops. This policy doesn't always work in other types of environments, though. You need to look at a security assessment of your environment to determine what will work for you. At my last gig, we utilized VMWare for many departments. The user had their company desktop, which we kept locked down. We would then provide them a VM with the OS they needed, with that VM either as a workgroup PC or joined to a non-production domain as required with no crossover accounts. The users were allowed whatever level of admin rights they required on that VM. That worked pretty well for us...
We've beat up a couple of vendors who said they required local admin rights to run. We told them that we would get rid of their app in that case. They "somehow" managed to find the few files and registry keys that required full control instead of admin access to the machine. ********************** Charlie Kaiser MCSE, CCNA Systems Engineer Essex Credit / Brickwalk 510 595 5083 ********************** > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Rimmerman, Russ > Sent: Thursday, June 30, 2005 5:35 AM > To: [email protected] > Subject: [ActiveDir] Do you make your users local admins on their PCs? > > We're having a big discussion about users being local > administrators on their PCs. We've made them local admins in > the past (on NT4 domain) because they needed to be able to > install apps, and we kept running into issues that led back > to them not having local admin rights. > > Is there easy way now that we're on a Win2k3 AD domain to > take admin rights away but still ensure things work > correctly? What's the general consensus, do most of you give > your users local admin rights? > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > This e-mail is confidential, may contain proprietary information > of the Cooper Cameron Corporation and its operating Divisions > and may be confidential or privileged. > > This e-mail should be read, copied, disseminated and/or used only > by the addressee. If you have received this message in error please > delete it, together with any attachments, from your system. > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
