I would generally have to say, no don't make them admins. That being said, locking down workstations tends to be a trifle more challenging than locking down servers.
 
Basically the question comes down to are there are any LOB apps in your company that require admin rights? If they do, has anyone looked into why? Generally with filemon and regmon you can work out what they are trying to access and just poke a few ACL changes into place to fix it and build that into your OS load.
 
If there is nothing that can be worked around, definitely lock the people down. Back in NT4 days we locked people down to power user and the stability of the workstations went way up. It mostly pissed off people who wanted to load personal software or PointCast which didn't bother me a whole lot.
 
Make note though that power user is not a complete lockdown, a bright user can escalate their access from it.
 
   joe
 


From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Thursday, June 30, 2005 8:35 AM
To: [email protected]
Subject: [ActiveDir] Do you make your users local admins on their PCs?

We're having a big discussion about users being local administrators on their PCs.  We've made them local admins in the past (on NT4 domain) because they needed to be able to install apps, and we kept running into issues that led back to them not having local admin rights.

Is there easy way now that we're on a Win2k3 AD domain to take admin rights away but still ensure things work correctly?  What's the general consensus, do most of you give your users local admin rights?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This e-mail is confidential, may contain proprietary information
of the Cooper Cameron Corporation and its operating Divisions
and may be confidential or privileged.

This e-mail should be read, copied, disseminated and/or used only
by the addressee. If you have received this message in error please
delete it, together with any attachments, from your system.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Reply via email to