1. Determine *exactly why* they need local admin rights. 2. Address the *specific issues* accordingly. 3. Avoid giving blanket permissions *at all costs*.
-- Espi On Wed, Mar 25, 2015 at 10:38 PM, Freddy Grande <[email protected] > wrote: > How does everyone handle users needing local administrator rights? > > We have some field users that require local admin, at the moment their > domain accounts have local administrator rights on their computers, > however, this can be dangerous if they run everything as admin. > > > > I've been wanting to create local admin accounts on computers that require > it, set a unique password to these and deny local/interactive logon so they > are only to be used for elevation. Ideally all of this should be controlled > through GPO or similar method to prevent users changing passwords to > something weak. I'm not finding an easy way to refer to local accounts in > GPO though so I'm thinking scripting is going to be the only way to go... any > thoughts or ideas? > > > > Bonus: how would you prevent a user from launching an elevated Computer > Management console and adding their domain user accounts to the > Administrators group? > > > > Freddy > > >
