3

I am looking for possible solutions to prevent local administration privileges for our domain users. Currently, we provide our domain users local administration privileges to avoid issues with different applications. Some applications will not start or work correctly without local administrator privileges.

Now I am interested in the current state of the technologies or best practices to avoid those kinds of permission. For example, we would like to restrict the local permissions and forbid the installation and execution of untrusted applications.

I've found the Software Restriction Policies and AppLocker as well as MDOP from Microsoft.

Which technologies and best practices could you recommend?

EEAA
  • 108,414
  • 18
  • 172
  • 242
  • 4
    The best preventative measure is to not give them local administrative privileges to begin with. Unfortunately, sometimes there are terrible applications that require it. Weigh your priorities. – Hyppy Dec 16 '14 at 15:31
  • @Hyppy Indeed, but we need to improve our domain structure. Some users exploit those additional local privileges. –  Dec 16 '14 at 15:35
  • 1
    It sounds like you have two separate issues, then. One, you have an IT issue with applications that require administrative privileges for the end-users to run. Two, you have an HR issue with users that should not be employed if they circumvent and exploit company policy. – Hyppy Dec 16 '14 at 15:42
  • 3
    @hofmeister Small piece of advice from someone who's been in the situation of taking away local admin from users accustomed to full permissions... Make sure your managers are on board and are the first to give up their permissions. If you don't have the HR side of things squared away before you start, don't. – Reaces Dec 16 '14 at 15:45
  • Also relevant: http://serverfault.com/questions/323706/what-should-i-do-about-a-misbehaving-user – Hyppy Dec 16 '14 at 15:45

2 Answers2

2

Use processmonitor and allow right only where they need them. (aka file registry hive and file folder) This can be done via gpo to give thoses kind of permissions. Did that for acad in exemple, and now that work good without admin right.

Be aware this is a long process.

Edited: Test out App-V if you can too, the application run like it as admin right as it's all pre-cached. Thus like if it write in c:\windows it's redirected in it's cache.

yagmoth555
  • 16,300
  • 4
  • 26
  • 48
1

What yagmoth555 said. We used this--it grants administrative privileges to processes, not users. (I was primarily asked to grant those privileges to software installers.) Before we had that, we experimented on which directories/registry keys/etc. needed to be writable by users for specific software to run, which usually (but not always) worked.

I will say, however, that the best way to prevent users from installing crud on their workstations is something like:

$AcceptableAdmins = "YourDomain\Domain Admins", "YourDomain\Someuser", "YourDomain\Someotheruser"

$members = net localgroup administrators | where {$_ -notmatch "command completed successfully"} | where { $AcceptableAdmins -notcontains $_}

foreach($member in $members)
{
net localgroup "power users" $member /add
net localgroup administrators $member /del
}

(I suspect that's not what you were looking for, but in my experience it's the most effective.)

Katherine Villyard
  • 18,510
  • 4
  • 36
  • 59