4

I'm interested in what are considered best practices when setting up laptops for remote users who are never in the office. With UAC in Windows 7, a standard user is significantly limited in what they can do. When you do not want to turn off UAC or make the user an Admin, what settings do you change to give them some basic access, but remain secure?

Some frustrations I've run into recently include:

  • User is unable to install their home printer without admin rights
  • User cannot remove a corrupted bluetooth keyboard connection without admin rights so they can remate the keyboard
  • User cannot delete global shortcuts from their desktop
  • UAC cuts off access through VNC connections when prompted for admin password

The above list can be expanded indefinitely. In general, what settings and permissions do you change to prepare laptops / notebooks for being on the road as a limited user where admin access is difficult at best?

As an admin, how do you satisfy the user's needs and make support easy when they are not in the office or a simple Remote Desktop connection away?

bendiy
  • 141
  • 3

1 Answers1

4

Provide a separate account with administrator permissions that they can use for those types of activities. The user would not have convenient access to their network resources (documents and email) with that account, so they would not be inclined to use it all of the time. They can use the privileged account primarily for the UAC prompt, or perhaps even to logon with a full desktop for limited edge cases.

If the account is a domain account, it would need to be logged at least once while connected to the network for it to be usable (to cache the credentials).

Note that for this to work, it would require either enforcement of the Administrators group using Group Policy, or auditing to ensure that they haven't added themselves to the Administrators group. There are a variety of approaches.

We actually do this using a local account that has the same account name on each computer, which makes it easy to configure for GPO enforcement. But there are management issues associated with password rotation for local accounts. If you are ok with the user managing the local account password, the local account approach would probably work for you, and you don't need to worry about cached credentials with local accounts.

You may also be interested to know that the Power Users group does not have the privileges that it did on Windows XP (thankfully). However, if you really want to shoot yourself in the foot, it is possible to apply a security template to system files, folders, and registry settings and privileges to grant Power Users the previous level of access.

Permissions and rights have been removed from the Power Users group in Windows Vista
http://support.microsoft.com/kb/2028493

User Rights
http://technet.microsoft.com/en-us/library/dd349804%28v=ws.10%29.aspx

Greg Askew
  • 34,339
  • 3
  • 52
  • 81
  • Greg, I was completely unaware of the changes to the Power Users group (which shows how much I deal with desktop OS'es). Thanks for the info. – joeqwerty Jan 04 '12 at 01:36
  • No problem. I'm actually glad they did, otherwise we would still be using it ;-) – Greg Askew Jan 04 '12 at 01:41
  • This basically gives them local admin access. What the difference between a second user and just making their domain account a local admin on the laptop? Other then having to jump through the UAC hoop, they have the same access. I'm worried that local admin access gives them too much power and create security issues with rouge software installs. – bendiy Jan 04 '12 at 23:58
  • It is not possible to install some applications or printers without administrator permissions. It can be the user, or someone else. We mitigate the risk by using a separate, local account that the user will have a disincentive to not use on a regular basis and does not have access to network resources. Adding their account to local Administrators group can be addressed with a simple GPO. What is installed on workstations should be occurring anyway through some other separate auditing application. To truly separate the concerns, consider providing a vm that the user can use as a sandbox. – Greg Askew Jan 05 '12 at 00:41