RE: [ActiveDir] Local admin priviledges

[Jensen, Ken]

Our policy has always been to only give those rights or permissions that are needed. 99% of our users are not admins of their own systems and especially not local administrators. We only have 1 local admin account, it is site specific so if compromised, it only affects that site. Users will load trojans, virii and all kinds of junk if left as admins. Non-admins will lose the rights to alter the registry and to manipulate other user folders on the system or share. Anybody can map a share if it’s available. Non-admins can still share files but only their files not the entire C drive. Going to Power User will alter their experience but makes for a much more secure and manageable environment. It will increase time requirements from the technical staff as well and will also motivate you towards automated management tools for updates and such. WSUS, McAfee EPO, Ghost, RIS, etc   Regards,   Ken Jensen Technical Support Specialist III Capistrano Unified School District San Juan Capistrano, California (949)283-8375 (949)234-5500 I've had a lovely evening, but this wasn't it.... -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, February 14, 2006 7:40 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Local admin priviledges   Well someone just realized that since all our users are local admins on their PCs that they can map to another users C$ share and see all their data.  They asked mgmt if they knew about that, and now of course, they're concerned about it.  It's been this way for years, but I digress.   SO, what is the general conscensus on giving users full ability to install/remove software at will, but not allowing them to map to other PCs c$ drives?  Make everyone Power Users instead?  Is there anything that they might lose from going from local admins to power users on their PCs besides this c$ mapping functionality? This communication and any documents, files, or previous e-mail messages attached to it constitute an electronic communication within the scope of the Electronic Communication Privacy Act, 18 USCA 2510. This communication may contain non-public, confidential, or legally privileged information intended for the sole use of the designated recipient(s). The unlawful interception, use or disclosure of such information is strictly prohibited under 18 USCA 2511 and any applicable laws. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~