Local Admins

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Management has decided to make all Authenticated Domain users Local Administrators on their office desktop running Win2k and WinXP. Please help me provide information on why this should not be done.
Any response will be appreciated.
 
Mr. Fixit said:
Management has decided to make all Authenticated Domain users Local Administrators on their office desktop running Win2k and WinXP. Please help me provide information on why this should not be done.
Any response will be appreciated.
Click to expand...

Hi

You could consider using the builtin "NT Authority\Interactive" instead, meaning
everybody logged in interactively (through the console) on the computer.

We add NT Authority\Interactive in the local Administrators group to let all
domain users automatically be local admins when they log on to a computer
interactively (thus avoiding the issue with cross network admin rights that
"Authenticated Domain users ", "Domain Users" or
"NT AUTHORITY\Authenticated Users" will give you).
 
-----Original Message-----
Management has decided to make all Authenticated Domain
Click to expand...
users Local Administrators on their office desktop running
Win2k and WinXP. Please help me provide information on
why this should not be done.
Any response will be appreciated.
.
Click to expand...
Can *all* users be *trusted* to be local administrators?
Sounds pretty risky to me. Would *you* trust all users to
make good decisions?
 
Balance why they have taken this decision, perhaps
productivity of the desktop users (due to some app
that needs admin, or the ability to install software)
against time needed keeping those systems safe and
running.

--
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCSE (W2k3,W2k,Nt4) MCDBA
Mr. Fixit said:
Management has decided to make all Authenticated Domain users Local
Click to expand...
Administrators on their office desktop running Win2k and WinXP. Please help
me provide information on why this should not be done.
 
We have users restricted in the domain. But have them as local
administrators in our shop. The reason we do this is because certain apps
won't run correctly without administrative access. But we only add there id
to that machine, so its not like everyone is logged in as administrator with
the same password. That way they can't try and administrate another machine
or connect to another machine unless its part of the domain and there domain
permissions allow it.
 
Back
Top