If you want to manage local admin rights and apps/functions that need them without actually giving them, take a look at AppSense Application Manager. It can elevate and de-elevate admin rights and user rights on-the-fly on a process or applet basis, including for common dialog boxes.
It also has a rights discovery mode to see who needs elevated rights, and why. It's now available as a separate product, making it much more palatable. Cheers, JR From: [email protected] [mailto:[email protected]] On Behalf Of Freddy Grande Sent: 26 March 2015 05:39 To: [email protected] Subject: [NTSysADM] Local Administrators on computers How does everyone handle users needing local administrator rights? We have some field users that require local admin, at the moment their domain accounts have local administrator rights on their computers, however, this can be dangerous if they run everything as admin. I've been wanting to create local admin accounts on computers that require it, set a unique password to these and deny local/interactive logon so they are only to be used for elevation. Ideally all of this should be controlled through GPO or similar method to prevent users changing passwords to something weak. I'm not finding an easy way to refer to local accounts in GPO though so I'm thinking scripting is going to be the only way to go... any thoughts or ideas? Bonus: how would you prevent a user from launching an elevated Computer Management console and adding their domain user accounts to the Administrators group? Freddy
