I would generally have to say, no don't make them admins.
That being said, locking down workstations tends to be a trifle more challenging
than locking down servers.
Basically the question comes down to are there are any LOB
apps in your company that require admin rights? If they do, has anyone looked
into why? Generally with filemon and regmon you can work out what they are
trying to access and just poke a few ACL changes into place to fix it and build
that into your OS load.
If there is nothing that can be worked around,
definitely lock the people down. Back in NT4 days we locked people down to
power user and the stability of the workstations went way up. It mostly pissed
off people who wanted to load personal software or PointCast which didn't bother
me a whole lot.
Make note though that power user is not a complete
lockdown, a bright user can escalate their access from it.
joe
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Thursday, June 30, 2005 8:35 AM
To: [email protected]
Subject: [ActiveDir] Do you make your users local admins on their PCs?
We're having a big
discussion about users being local administrators on their PCs. We've made
them local admins in the past (on NT4 domain) because they needed to be able to
install apps, and we kept running into issues that led back to them not having
local admin rights.
Is there easy way now that we're on a Win2k3 AD domain to take admin rights away but still ensure things work correctly? What's the general consensus, do most of you give your users local admin rights?
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
