[gptalk] Re: Local User Account

  • From: "Andrew McHale" <Andrew.McHale@xxxxxxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Mon, 24 Nov 2008 16:04:50 -0000

Awesome Jamie,

 

Nice find. I've been wanting to move away from our current system since
I took over the network but it's always seemed like a massive job and
potential nightmare to do so (yes I know recovering from a system outage
due to the propagation of a virus/worm would have been worse).

 

I think I'll bump this task up to sometime next month!

 

Thanks

 

Andrew

 

 

From: Nelson, Jamie [mailto:Jamie.Nelson@xxxxxxx] 
Sent: 24 November 2008 15:53
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Local User Account

 

BeyondTrust has a free application rights auditor that you can run
against your systems to determine applications that require
administrative rights to run correctly. You can find out more about it
here:

 

http://www.beyondtrust.com/products/ApplicationRightsAuditor.aspx

 

They also have a commercial product that allows you to manage these
problem applications without granting full administrator rights to the
user. It's pretty neat.

 

Regards,

 

 

 

Jamie Nelson | Operations Consultant | BI&T Infrastructure-Intel | Devon
Energy Corporation | Work: 405.552.8054 | Mobile: 405.200.8088 |
http://www.dvn.com <http://www.dvn.com/> 

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Darren Mar-Elia
Sent: Monday, November 24, 2008 9:47 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Local User Account

 

It's a good point Andrew. Despite the pure evil nature of letting your
users be admin., there are a still a lot of crappy apps (including some
from MS) that still require it, or at least a relaxing of permissions. 

 

Darren

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Andrew McHale
Sent: Monday, November 24, 2008 7:42 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Local User Account

 

Ryan,

 

A word of warning if I may.

 

A lot of 3rd party applications require certain levels of access to the
computer. For example, our accouting package requires write access to
its own installation folder inorder to save temp files.

 

Unfortunately we are like you were with the small company attitude (we
total 25 people) and so everyone has local admin access to their own
machine (think happy thoughts Darren!). When I tried to take this away
from a test user the application stopped working until I gave that user
specific write permissions to this particular folder.

 

So, in short, test what will happen if you take this level of access
away from your users before you do it company wide. 250 computers all
with faulting applications would be a serisouly bad day at the office
for you!

 

Andrew

 

 

 

From: Ryan Bannon [mailto:ryanbannon@xxxxxxxxxxxxxxxxxxx] 
Sent: 24 November 2008 15:36
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Local User Account

 

Darren,

 

Very cool.  Thanks for your help.  I have been working on a new Group
Policy for our company for a few months now and I wish I would have
found this sooner.  I appreciate it.

 

Thanks,

 

Ryan

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Darren Mar-Elia
Sent: Monday, November 24, 2008 10:28 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Local User Account

 

Ryan-

Check out the whitepaper on my site about GPP
(http://www.gpoguy.com/Group-Policy-Whitepapers.aspx). Its basically a
free-add on that MS provides to give you additional capabilities within
GP. However, in your scenario, if you are trying to remove a unique user
account from the local Administrator's group on each machine, GPP won't
help you. But, since your users are already administrators, you could
create a simple GP-based logon script that lets them remove themselves
from local administrators. Some thing like this would work:

 

Net localgroup administrators %username% /delete

 

Should work. Once the user re-logs in, then they will no longer be in
Local Administrators.

 

Darren

 

 

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Ryan Bannon
Sent: Monday, November 24, 2008 7:18 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Local User Account

 

Darren,

 

For the most part everyone is a local admin.  We have had a small
company mentality for quite a while, but now we have grown pretty
rapidly over the last few years, and now are getting a larger profile in
the industry, so we wanted to lock down our pc's and not let users do
that much.  So one of the steps is not giving them local admin rights to
their pc's.  So what is the Group Policy Preferences'?  Is that an add
on program or snap-in?  And can it be added after having a Group Policy
already in place?

 

Thanks,

 

Ryan

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Darren Mar-Elia
Sent: Monday, November 24, 2008 9:51 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Local User Account

 

Ryan-

Yes, this is a perfect job for Group Policy Preferences' Local Users and
Groups feature if you have rolled out GPP. If you haven't then you would
probably have to use a computer startup script to do it. Is the local
user account different on every machine? 

 

Darren

 

From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Ryan Bannon
Sent: Monday, November 24, 2008 6:34 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Local User Account

 

I am looking for a way to change the local user account type for our
computers.  Right now we have them as local administrators, but we want
to change that to just a local user.  We have around 250 computer, so I
don't want to have to do it manually.  Is there a way to do this with
Group Policy?

 

Thanks,

 

Ryan Bannon

IT Support Technician

Pioneer Surgical Technology

 

________________________________

Confidentiality Warning: This message and any attachments are intended
only for the use of the intended recipient(s), are confidential, and may
be privileged. If you are not the intended recipient, you are hereby
notified that any review, retransmission, conversion to hard copy,
copying, circulation or other use of all or any portion of this message
and any attachments is strictly prohibited. If you are not the intended
recipient, please notify the sender immediately by return e-mail, and
delete this message and any attachments from your system. 

Other related posts: