First question why do they need administration rights. Just because they've said so or some app they running isn't working. I agree giving users administration rights on workstations could be an issue.
Ed On Mar 26, 2015 1:40 AM, "Freddy Grande" <[email protected]> wrote: > How does everyone handle users needing local administrator rights? > > We have some field users that require local admin, at the moment their > domain accounts have local administrator rights on their computers, > however, this can be dangerous if they run everything as admin. > > > > I’ve been wanting to create local admin accounts on computers that require > it, set a unique password to these and deny local/interactive logon so they > are only to be used for elevation. Ideally all of this should be controlled > through GPO or similar method to prevent users changing passwords to > something weak. I’m not finding an easy way to refer to local accounts in > GPO though so I’m thinking scripting is going to be the only way to go… any > thoughts or ideas? > > > > Bonus: how would you prevent a user from launching an elevated Computer > Management console and adding their domain user accounts to the > Administrators group? > > > > Freddy > > >
