Ask the Expert

Allowing users local administrative rights

I need to allow users local administrative rights to their workstations, but I don't want them to have access to change domain or network settings. Is this possible?

    Requires Free Membership to View

It depends on what you mean by local administrative rights. If you mean to just give a user "user rights," which elevates their privilege to perform administrative tasks, then yes. To do this, just create a GPO (or modify the local GPO) and link it to the organizational unit which contains the user's computer account. Inside the GPO, configure the appropriate user rights (under the Computer Configuration|Windows Settings|Security Settings|Local Policies|User Rights Assignment).

If you want to give the user more broad power, you can use a group like the Power Users group. However, I think that this group is not as useful as we once thought. Neither does Microsoft, as they are getting rid of the Power Users group in the next release of Windows (Vista). They are moving to a concept of LUA (Least Privileged User Account).

Microsoft has not yet developed a solution for the LUA account, since they don't have anything they can configure to allow the user to function as a LUA, but be able to perform other administrative tasks, which is what you are asking. However, there is a third party solution called PolicyMaker Security Application. This tool works seamlessly with Group Policy and allows individual tasks and applications to be elevated to administrative levels. Other solutions like RunAs, RunAs Professional, and Drop My Rights are for administrators, not end users. These tools don't provide the end user with the least privilege access.

This was first published in August 2005

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: