Boswell's Q&A

Local Admin Rights, Right or Wrong

Based on your feedback, the issue of local admin rights isn't cut and dried.

• By Bill Boswell
• 11/11/2003

In "Keys to the Kingdom," I invited input on whether or not you permitted users in your network to have local admin rights on their desktops. To date I've received more than a hundred replies that run the gamut from "Not no way, not no how," to "Yeah, we do, and what's the big deal?"

Most everyone agreed that they didn't like giving local admin rights, but many found it necessary for one reason or another. I found nearly 100-percent agreement that some form of local admin permissions were required for laptop users, but the case for desktops was much less cut-and-dried.

Here are a few examples:

Get Help from Bill Got a Windows or Exchange question or need troubleshooting help? Or maybe you want a better explanation than provided in the manuals? Describe your dilemma in an e-mail to Bill at mailto:[email protected]; the best questions get answered in this column. When you send your questions, please include your full first and last name, location, certifications (if any) with your message. (If you prefer to remain anonymous, specify this in your message but submit the requested information for verification purposes.)

John, a network engineer in a corporation: Like many businesses, we've faced decreasing budgets and reduced manpower. We don't have the time to spend tweaking security rights. For the most part our users are a responsible bunch who want to get their work done and go home. The few problems we've had were easily addressed with a basic Computer Use Policy that allowed us to manage the staff in a traditional non-technical fashion (if you abuse the company's equipment again you will be terminated.) We use Ghost on our network so if someone really messes up their machine we can clone it back again in a fraction of the time it would take to tweak local security for every app on the network.

On the other hand, Jorge, the IT director for a city, made this case for doing the necessary work to avoid granting local access rights: Never, ever do I give admin rights. I set registry and file permissions. I've had a software vendor insist that their application would not run unless I gave admin rights to the user. We tweaked and tested different registry and file permissions until the application ran correctly. We then presented them to the software vendor for testing to make sure all was well. They've since adopted the changes and include it in all documentation. Moral of the story—regardless of what vendors or other admins may say, granting local admin rights isn't necessary and should be avoided.

Many administrators cited a single mission critical application that prevented them from restricting local admin rights. They weren't happy about it, but they had to make the adjustment. Jeff: Our organization does indeed make the individual user assigned to a particular workstation a member of the local administrators group. This is done to accommodate the numerous changes that are made to the registry by AutoCAD and other engineering programs we use. I agree with your respondent's letter that you posted, but I feel that our organization has neither the time nor resources to invest in researching the group policy issue at this time.

Not surprisingly, university administrators were nearly (but not completely) unanimous that they had to give local admin rights. I liked the program that Charlie set up at a large university: We have a program where our employees can be designated a "Free Range User." It requires them to attend a short training and information session. Once they complete the session, we give them Local Administrator rights to their computer. They are warned that if they mess up their computer, our techs will spend minimal time trying to fix it. If the tech can't find the problem within 15 to 30 minutes, the computer is wiped and re-imaged with our baseline software configuration. They get a little card signifying their status and agree to augment the IT staff during times of virus outbreaks or helping their coworkers with simple tasks such as connecting to network printers.

Another university administrator named Charlie took this approach: When we rolled out Windows XP machines a year ago, we did not add the user's domain account to the local Adminstrators group. Instead we created a local account with Admin rights that they can use as an alternative. That works a little better because the user is not performing their normal functions with Admin rights. They are also less likely to install unneeded and messy apps because it's not so convenient.

Some respondents cited the eighth layer of the OSI model—the political layer—as the reason for granting local privileges. Steven: There are two employees here that were granted admin rights by their application of mightier force. They went to their boss (my boss's boss) and pleaded; the boss then twisted our arms until we granted the rights. We also gave them the responsibility that goes with those rights. When they screw up their machines, which has happened a couple of times, we happily install our Ghost copy of their drives. They lose data and we respond, "Oh well!"

I got many replies from small business consultants like Amy, who makes this case: I routinely give users admin rights. It's a situational necessity. My clients are all small businesses that only require my services a few hours every month. The users are very independent and computer savvy. They are competent enough to be allowed to install applications without coming to me first. I've done proactive training to put some fear into them about installing or deleting the wrong thing. With cooperative users, ongoing training, anti-virus and anti-pest software all runs quite smoothly. My users know that if they have any questions that I'm only a phone call away and I encourage them to call.

And Dave made the case for overworked administrators in smaller companies: In essence, we have a "trust" relationship with our employees. We treat them like mature adults and expect them to act that way. This has worked for us thus far, though we are a small company (less than 100 clients). Perhaps in a larger shop, different measures are prudent.

I must admit that like the idea of treating adults like adults and I got many replies along that same vein, but Bill, a network admin for a farm supply company in Pennsylvania, argues in favor of distrust: It's my job to keep nasty stuff from infecting my network. If I give someone local admin rights they can uninstall/disable the installed antivirus software and would also be able to install programs like an instant messenger or peer-to-peer file-sharing application or anything they choose. The loaded gun/child analogy is perfect. If they need another application installed that's outside of our standard load, then they can take it to their manager and explain the legitimate business need. It's at that point, then, that software gets installed.

Frankly, I found Bill's argument compelling. Users might be highly trusted, but they aren't regularly exposed to trade information that warns them of the dangers of spyware or certain peer-to-peer programs and they aren't as likely to know when particularly dangerous worms are circulating.

Still, the bottom line is that there is no bottom line. The decision to grant local admin rights, like any other system administration decision, is based on the need to further the goals of the organization while finding a few spare hours to get home and see the family.

Thanks to everyone who took the time to write. Be sure to let me know if you have especially good war stories on this or any other topic.