Q

Allowing users local administrative rights

I need to allow users local administrative rights to their workstations, but I don't want them to have access to change domain or network settings. Is this possible?

I need to allow users local administrative rights to their workstations, but I don't want them to have access to change domain or network settings. Is this possible?

It depends on what you mean by local administrative rights. If you mean to just give a user "user rights," which elevates their privilege to perform administrative tasks, then yes. To do this, just create a GPO (or modify the local GPO) and link it to the organizational unit which contains the user's computer account. Inside the GPO, configure the appropriate user rights (under the Computer Configuration|Windows Settings|Security Settings|Local...

Policies|User Rights Assignment).

If you want to give the user more broad power, you can use a group like the Power Users group. However, I think that this group is not as useful as we once thought. Neither does Microsoft, as they are getting rid of the Power Users group in the next release of Windows (Vista). They are moving to a concept of LUA (Least Privileged User Account).

Microsoft has not yet developed a solution for the LUA account, since they don't have anything they can configure to allow the user to function as a LUA, but be able to perform other administrative tasks, which is what you are asking. However, there is a third party solution called PolicyMaker Security Application. This tool works seamlessly with Group Policy and allows individual tasks and applications to be elevated to administrative levels. Other solutions like RunAs, RunAs Professional, and Drop My Rights are for administrators, not end users. These tools don't provide the end user with the least privilege access.

This was first published in August 2005

Dig deeper on Microsoft Group Policy Management

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchServerVirtualization

SearchCloudComputing

SearchExchange

SearchSQLServer

SearchWinIT

SearchEnterpriseDesktop

SearchVirtualDesktop

Close