Re: Removing Local Admin Rights...

["Tom Stowell" <jts () deforest k12 wi us>]

We're a bit smaller -- 1,000 desktops running Win2k.  We instituted a
policy like yours about two years ago.  We run into problems with
USB devices, and need to install but other than that our experience 
has been positive.  Since we instituted the policy, support requests
are down about 35%.


Tom Stowell
Network Administrator
DeForest Area School District
520 E. Holum St.
DeForest, WI 53532
Fax: (608)-842-6545
Voice: (608)-842-6500
Email: <jts () deforest k12 wi us>


console, n. [From latin consolatio(n) "comfort, spiritual solace."] A device for displaying or printing condolances or 
obituaries for the operator.
            -- Stan Kelly-Bootle, The Computer Contradictionary.


> > > "Jay Lopez" <jlopez_si86 () hotmail com> 05/25/04 08:48AM >>>
I currently work for an organization with approximately 25,000 Windows 
XP/2000 desktops in an Active Directory (AD) environment.  Security from an 
OS and individual application component (i.e., Outlook 2003, MS Office, IE, 
etc.) perspective is being managed via group policy objects (GPO's).

Currently, we are pushing to remove local administrator access rights to 
individual machines to prevent users from randomly installing unapproved 
applications, prevent malware from being silently installed within the local 
administrator context, etc.  Prior to our move to AD and GPO's, we received 
push-back on removing local admin rights for reasons such as the logon 
scripts would not work, etc.

By chance, have any of you implemented any of the above--especially the 
removal of local administrator rights?  If so, what support issues did you 
experience?  What impact did removing local admin rights have?

I'd like to provide as many pros and cons back to our team based on your 
feedback.

Thanks in advance,

Jay Lopez

_________________________________________________________________
FREE pop-up blocking with the new MSN Toolbar – get it now! 
http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/ 


---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html 
----------------------------------------------------------------------------



---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------