ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Re-evaluating Local Administrative User Rights

    IT Discussion
    9
    128
    5.9k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • DashrenderD
      Dashrender @Obsolesce
      last edited by

      @Obsolesce said in Re-evaluating Local Administrative User Rights:

      @Dashrender said in Re-evaluating Local Administrative User Rights:

      @jmoore said in Re-evaluating Local Administrative User Rights:

      I would agree in most situations no user needs to be admin on their own box. I think this is the way to go about things. Of course there are a lot of other factors as others have mentioned. However, if someone at your company tells you to compromise, what about having a seperate admin account that they only use when necessary? Then the rest of the time they use their regular account.

      This is exactly what IT and those users should be doing...

      It's what I do - I have a user account just like everyone else at my company and a domain admin account for my admin stuff.

      I know that since I can easily do much of my work without local admin - no user in my company needs admin (our uses are pretty low - we are a medical company, not a technical one).

      Domain admin is a totally separate discussion and nothing to do with this.

      Well - in my case, I only have two accounts - domain admin (i.e. the admin account) and my domain user (non-admin) account. So I use domain admin/local admin interchangably... but I get your point.

      1 Reply Last reply Reply Quote 0
      • DashrenderD
        Dashrender @Obsolesce
        last edited by

        @Obsolesce said in Re-evaluating Local Administrative User Rights:

        @jmoore said in Re-evaluating Local Administrative User Rights:

        I would agree in most situations no user needs to be admin on their own box. I think this is the way to go about things. Of course there are a lot of other factors as others have mentioned. However, if someone at your company tells you to compromise, what about having a seperate admin account that they only use when necessary? Then the rest of the time they use their regular account.

        Perhaps. But actually logging into an admin account means they they would be logged in and have admin rights full time while logged on, and that works around the whole thing.

        As a compromise, I think sticking to exceptions being able to temporarily obtain local admin rights, with warning, acceptance message, etc. That will force consciousness of the fact.

        Are you using a product that allows for this temporary gaining of local admin rights?

        ObsolesceO 1 Reply Last reply Reply Quote 0
        • ObsolesceO
          Obsolesce @Dashrender
          last edited by

          @Dashrender said in Re-evaluating Local Administrative User Rights:

          @Obsolesce said in Re-evaluating Local Administrative User Rights:

          @jmoore said in Re-evaluating Local Administrative User Rights:

          I would agree in most situations no user needs to be admin on their own box. I think this is the way to go about things. Of course there are a lot of other factors as others have mentioned. However, if someone at your company tells you to compromise, what about having a seperate admin account that they only use when necessary? Then the rest of the time they use their regular account.

          Perhaps. But actually logging into an admin account means they they would be logged in and have admin rights full time while logged on, and that works around the whole thing.

          As a compromise, I think sticking to exceptions being able to temporarily obtain local admin rights, with warning, acceptance message, etc. That will force consciousness of the fact.

          Are you using a product that allows for this temporary gaining of local admin rights?

          Yes you could say that.

          DashrenderD 1 Reply Last reply Reply Quote 0
          • jmooreJ
            jmoore @Obsolesce
            last edited by

            @Obsolesce said in Re-evaluating Local Administrative User Rights:

            @jmoore said in Re-evaluating Local Administrative User Rights:

            I would agree in most situations no user needs to be admin on their own box. I think this is the way to go about things. Of course there are a lot of other factors as others have mentioned. However, if someone at your company tells you to compromise, what about having a seperate admin account that they only use when necessary? Then the rest of the time they use their regular account.

            Perhaps. But actually logging into an admin account means they they would be logged in and have admin rights full time while logged on, and that works around the whole thing.

            As a compromise, I think sticking to exceptions being able to temporarily obtain local admin rights, with warning, acceptance message, etc. That will force consciousness of the fact.

            Yes true. I wasn't very clear, a fault of mine. What I do is run under a plain user account and when something that required admin credentials i just enter in those credentials. I was not meaning for the user to just log in as the admin account. Of course you have to trust they will do this, so thats not full proof. Its just what I do.

            1 Reply Last reply Reply Quote 0
            • scottalanmillerS
              scottalanmiller @jmoore
              last edited by

              @jmoore said in Re-evaluating Local Administrative User Rights:

              However, if someone at your company tells you to compromise, what about having a seperate admin account that they only use when necessary? Then the rest of the time they use their regular account.

              That's fine if they are authorized. That's how IT should be doing it themselves, IMHO. This is how you properly give that kind of access.

              ObsolesceO 1 Reply Last reply Reply Quote 0
              • DashrenderD
                Dashrender @Obsolesce
                last edited by

                @Obsolesce said in Re-evaluating Local Administrative User Rights:

                @Dashrender said in Re-evaluating Local Administrative User Rights:

                @Obsolesce said in Re-evaluating Local Administrative User Rights:

                @jmoore said in Re-evaluating Local Administrative User Rights:

                I would agree in most situations no user needs to be admin on their own box. I think this is the way to go about things. Of course there are a lot of other factors as others have mentioned. However, if someone at your company tells you to compromise, what about having a seperate admin account that they only use when necessary? Then the rest of the time they use their regular account.

                Perhaps. But actually logging into an admin account means they they would be logged in and have admin rights full time while logged on, and that works around the whole thing.

                As a compromise, I think sticking to exceptions being able to temporarily obtain local admin rights, with warning, acceptance message, etc. That will force consciousness of the fact.

                Are you using a product that allows for this temporary gaining of local admin rights?

                Yes you could say that.

                Why so coy?

                ObsolesceO 1 Reply Last reply Reply Quote 0
                • ObsolesceO
                  Obsolesce @scottalanmiller
                  last edited by

                  @scottalanmiller said in Re-evaluating Local Administrative User Rights:

                  @jmoore said in Re-evaluating Local Administrative User Rights:

                  However, if someone at your company tells you to compromise, what about having a seperate admin account that they only use when necessary? Then the rest of the time they use their regular account.

                  That's fine if they are authorized. That's how IT should be doing it themselves, IMHO. This is how you properly give that kind of access.

                  Yes but this topic is more about preventing a blanket local admin rights enablement, identifying risks, pros, cons, and options to compromise. Not really at all about IT's ability to gain local admin rights. Ideally nobody at all will have local admin rights ability. If something is wrong and needs fixed requiring local admin, it can be done via MDM means, ideally.

                  We don't want any one person or account local admin access across the board or across multiple devices either.

                  Intune makes any of these possible, and some are currently in practice, but that's starting to steer off the path a little.

                  1 Reply Last reply Reply Quote 0
                  • ObsolesceO
                    Obsolesce @Dashrender
                    last edited by

                    @Dashrender said in Re-evaluating Local Administrative User Rights:

                    @Obsolesce said in Re-evaluating Local Administrative User Rights:

                    @Dashrender said in Re-evaluating Local Administrative User Rights:

                    @Obsolesce said in Re-evaluating Local Administrative User Rights:

                    @jmoore said in Re-evaluating Local Administrative User Rights:

                    I would agree in most situations no user needs to be admin on their own box. I think this is the way to go about things. Of course there are a lot of other factors as others have mentioned. However, if someone at your company tells you to compromise, what about having a seperate admin account that they only use when necessary? Then the rest of the time they use their regular account.

                    Perhaps. But actually logging into an admin account means they they would be logged in and have admin rights full time while logged on, and that works around the whole thing.

                    As a compromise, I think sticking to exceptions being able to temporarily obtain local admin rights, with warning, acceptance message, etc. That will force consciousness of the fact.

                    Are you using a product that allows for this temporary gaining of local admin rights?

                    Yes you could say that.

                    Why so coy?

                    Not intentionally, just wanting to stay on the main discussion.

                    1 Reply Last reply Reply Quote 0
                    • 1
                    • 2
                    • 3
                    • 4
                    • 5
                    • 6
                    • 7
                    • 7 / 7
                    • First post
                      Last post