Keys to the Kingdom

Is giving a local user admin rights any way to run a network?

In response to my column, "Local Control" (click here to read it), where I described how to use Restricted Groups to give users local admin rights, I got some thoughtful responses chiding me for describing this type of operation. Here's an example from Peter:

Bill: While your answer is accurate, it also does everyone on the mailer a disservice. The question starts out with a statement that I have heard all too often..."We set ALL USERS to have local admin access to their PC." As you well know, this is no way to run a network. It's like handing a loaded weapon to a toddler and sending him off to the local playground. It is only a matter of time before he hurts himself or someone else.

A Microsoft Certified System Engineer should never tell you that you have to give local admin rights for a PC to a general user. Applications can be enabled by setting registry and file permissions via Group Policy. Debugging rights can be granted to a developers group via policy. There are a number of ways of dealing with problem issues without just handing every user the keys to the kingdom.

Get Help from Bill

Got a Windows or Exchange question or need troubleshooting help? Or maybe you want a better explanation than provided in the manuals? Describe your dilemma in an e-mail to Bill at mailto:[email protected]; the best questions get answered in this column.

When you send your questions, please include your full first and last name, location, certifications (if any) with your message. (If you prefer to remain anonymous, specify this in your message but submit the requested information for verification purposes.)

Now, I think Peter makes an excellent point that I should have pointed out the problems with giving local admin rights to users. But I also know that quite a few system administrators routinely give users local admin rights and are none the worse for it.

So, I'd like to hear how you do business:

  • Do you give users local admin rights or not?
  • What was the critical item that caused you to make your decision?
  • Do you have any cause to regret your decision, one way or the other?

Write me at [email protected] with your answers to these questions; be sure to put "User Rights" on the subject line of your message. I'll bundle up the best answers in a future column.

About the Author

Contributing Editor Bill Boswell, MCSE, is the principal of Bill Boswell Consulting, Inc. He's the author of Inside Windows Server 2003 and Learning Exchange Server 2003 both from Addison Wesley. Bill is also Redmond magazine's "Windows Insider" columnist and a speaker at MCP Magazine's TechMentor Conferences.

Featured