I am a local admin on my Win7 pc with UAC in default state. Admin tasks cause the UAC popup but all I have to do is acknowledge it, not supply a password every time. I have a homespun launcher app that I start with a runas /user:%mydomainadminaccount% to launch remote admin tools. When there is something I use so often that even one click to acknowledge is annoying, I create a scheduled task (with no trigger) for it that has the Run-with-highest-privileges set, then launch a shortcut to the task.
This is the most convenient yet reasonably secure setup that I have found. Oh, I have found one or two things (like conflicting security tokens when accessing shares on a server) that require a Win7 ctrl-alt-delete switch user to get around. Doug Hilderbrand | Systems Analyst, Information Technology | Crane Aerospace & Electronics From: James Rankin [mailto:kz2...@googlemail.com] Sent: Wednesday, July 20, 2011 2:33 AM To: NT System Admin Issues Subject: Re: non-local admin revisited I run with a non-privileged account on my Win7 workstation and have an admin account that I supply to UAC whenever I need to run anything with higher-level privileges. This works great for me, I am happy that I can't be tricked into anything without seeing the prompt. It's a little annoying when I have to launch a Citrix Delivery Services Console, a custom MMC and a PowerShell window with "Run as administrator" every time I log in, but that's the trade-off for higher security. I also like the way Restricted Groups GPOs blat the whole group down rather than appending and we use this in addition to dual accounts and UAC. It certainly ensures the only people with local admin access to our workstations or servers are the accounts that we have deigned shall have it. On 20 July 2011 10:19, Paul Hutchings <paul.hutchi...@mira.co.uk> wrote: Yeah, I wasn't too clear from David's post though if it hat was the intention or if it was to try and stop people throwing on whatever they want. I'd either go with UAC or have a local account on each machine and use it for "Run As" when needed - I've not played too much with restricted groups but AFAIK it overwrites the local admins group rather than appending it which I'd find a little (pardon the pun) restrictive. Paul From: Andrew S. Baker [mailto:asbz...@gmail.com] Sent: 20 July 2011 01:08 To: NT System Admin Issues Subject: Re: non-local admin revisited Reduce risks related to system infection... ASB http://about.me/Andrew.S.Baker Harnessing the Advantages of Technology for the SMB market... On Tue, Jul 19, 2011 at 4:15 PM, Paul Hutchings <paul.hutchi...@mira.co.uk> wrote: What's your reason for wanting to do it? ________________________________ From: David Lum [david....@nwea.org] Sent: 19 July 2011 6:10 PM To: NT System Admin Issues Subject: non-local admin revisited How do you bigger org's handle IT staff (DBA's and the like) not being local admins on their systems? Invariably they are used to throwing on whatever they want and in some ways this helps the Help desk so they're not called to install stuff the user can install. As we move to Windows 7 my recommendation is to yank local admin perms at the same time (yes everyone is local admin on their XP systems currently), but I foresee pushback from Service Desk and IT folks... David Lum Systems Engineer // NWEATM Office 503.548.5229 // Cell (voice/text) 503.267.9764 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ________________________________ MIRA Ltd Watling Street, Nuneaton, Warwickshire, CV10 0TU, England Registered in England and Wales No. 402570 VAT Registration GB 100 1464 84 The contents of this e-mail are confidential and are solely for the use of the intended recipient. If you receive this e-mail in error, please delete it and notify us either by e-mail, telephone or fax. You should not copy, forward or otherwise disclose the content of the e-mail as this is prohibited. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin -- "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question." ***** IMPORTANT INFORMATION/DISCLAIMER ***** This document should be read only by those persons to whom it is addressed. If you have received this message it was obviously addressed to you and therefore you can read it, even it we didn't mean to send it to you. However, if the contents of this email make no sense whatsoever then you probably were not the intended recipient, or, alternatively, you are a mindless cretin; either way, you should immediately kill yourself and destroy your computer (not necessarily in that order). Once you have taken this action, please contact us.. no, sorry, you can't use your computer, because you just destroyed it, and possibly also committed suicide afterwards, but I am starting to digress...... The originator of this email is not liable for the transmission of the information contained in this communication. Or are they? Either way it's a pretty dull legal query and frankly one I'm not going to dwell on. But should you have nothing better to do, please feel free to ruminate on it, and please pass on any concrete conclusions should you find them. However, if you pass them on via email, be sure to include a disclaimer regarding liability for transmission. In the event that the originator did not send this email to you, then please return it to us and attach a scanned-in picture of your mother's brother's wife wearing nothing but a kangaroo suit, and we will immediately refund you exactly half of what you paid for the can of Whiskas you bought when you went to Pets At Home yesterday. We take no responsibility for non-receipt of this email because we are running Exchange 5.5 and everyone knows how glitchy that can be. In the event that you do get this message then please note that we take no responsibility for that either. Nor will we accept any liability, tacit or implied, for any damage you may or may not incur as a result of receiving, or not, as the case may be, from time to time, notwithstanding all liabilities implied or otherwise, ummm, hell, where was I...umm, no matter what happens, it is NOT, and NEVER WILL BE, OUR FAULT! The comments and opinions expressed herein are my own and NOT those of my employer, who, if he knew I was sending emails and surfing the seamier side of the Internet, would cut off my manhood and feed it to me for afternoon tea. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin -------------------------------------------------------------------------------- Check out the new Crane Aerospace & Electronics Newsroom! http://newsroom.craneae.com Like us on Facebook! http://www.facebook.com/home.php?#!/pages/Crane-Aerospace-Electronics/163305413682908 We value your opinion! How may we serve you better? Please click the survey link to tell us how we are doing: http://www.craneae.com/ContactUs/VoiceofCustomer.aspx Your feedback is of the utmost importance to us. Thank you for your time. -------------------------------------------------------------------------------- Crane Aerospace & Electronics Confidentiality Statement: The information contained in this email message may be privileged and is confidential information intended only for the use of the recipient, or any employee or agent responsible to deliver it to the intended recipient. Any unauthorized use, distribution or copying of this information is strictly prohibited and may be unlawful. If you have received this communication in error, please notify the sender immediately and destroy the original message and all attachments from your electronic files. -------------------------------------------------------------------------------- ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
