Administrative Access On Windows Endpoints
-
I will admit to not always following best practice and installing myself (and some of my users) as local admins on their machines.
Granted, this is mainly because we are a smallish shop, and kind of let people do what they want on their machines.
But in the interest of doing it the right/secure way, I've started converted over.
I was instantly annoyed by all the times the admin prompt comes up, and was talking to @scottalanmiller about it.
Download and install Chrome? Admin creds.
Want to delete the Chrome shortcut off your desktop? Admin creds.So, I understand the concept. I was just wondering how many of you leave the default settings for non-admin users, or if you tweak them a little bit to stem some of the calls you get from your users.
Maybe once the machine is set up (this is on my fresh install of Windows 10) it almost never comes up, but it's been all I have seen as I've been setting this new machine up.
-
You are doing setup tasks. setup take privilege. What do you expect?
-
I rarely build a machine as a non admin. I know I'm going to get prompted a million and one times during install - installing/updating requires local admin.
I generally wait to switch to a non local admin account once setup is complete.
Sure there may be a few more admin prompts, but they seem to be pretty far and between.
The biggest pain is the day to day management of non MS updates. Unless you have a utility to manage things like Java, Adobe Reader, GreenShot, etc - you'll be running around typing in creds every time there is an update.
This is where something like https://chocolatey.org/ can come in handy. Sadly I still haven't really got into the swing of using it.
-
-
What's strange is some stuff doesn't ask for permission.
I guess that is how it gets installed into the system.
For example, I just installed Evernote, and it did not ask.
-
@BRRABill said:
So, I understand the concept. I was just wondering how many of you leave the default settings for non-admin users, or if you tweak them a little bit to stem some of the calls you get from your users.
No admin access for anyone, even admins don't get to "run as admins" day to day. Every time that this feels annoying to you is a time that malware could have gotten root access silently.
-
@BRRABill said:
What's strange is some stuff doesn't ask for permission.
I guess that is how it gets installed into the system.
For example, I just installed Evernote, and it did not ask.
Because it doesn't do anything that requires escalated privileges. You only need admin access when something needs to act as the admin. Tons of things don't need it.
-
So some thoughts that I think play in...
- Admin access is dangerous, exposing it exposes your system. Even IT folk need protection from this, it is completely unreasonable for end users to really know what to install, when to install it, track licensing, know what is and isn't malware, etc. Giving them admin access is just bad for so many reasons.
- While installing lots of software requires admin rights, it does not mean that the end user needs to have those rights. LANDesk, Chocolatey, scripts, etc. can handle this task without needing to give the end user blanket admin rights. There is nothing wrong with end users installing their own software, that's a different issue than giving them admin access.
- Why is this painful? What is going on that people are adding and removing software so often that this even gets mentioned, let alone bubbles up as a concern? What process is happening that makes this happen more than, say, once a month per person?
- Why is requesting software from IT painful? What makes the installation from IT not so easy that they care to be doing it themselves?
-
Why does deleting a shortcut off the desktop require escalated privileges?
-
@BRRABill said:
Why does deleting a shortcut off the desktop require escalated privileges?
If it is put there by the admin and privilege isn't transferred to the users, of course it would require that.
-
Look at the file permissions of the short cut.
-
@scottalanmiller said:
If it is put there by the admin and privilege isn't transferred to the users, of course it would require that.
I guess.
I mean I don't like that stuff on my desktop, but it's kind of personal prefernce. I don't want calls because a user is tidying their desktop.
-
@BRRABill said:
desktop, but it's kind of personal prefernce. I don't want calls because a user is tidying their desktop.
Then don't? If it's company standard apps they get the shortcuts it's not the end users choice. They can delete their own stuff all they want. If they are that focuses on wanting to delete desktop icons for apps the company provides then their manager needs to assign them more duties so they don't get bored.
-
-
Because the shortcut is not on YOUR desktop.
FFS this is not that hard, are you IT or not? This is basic Windows operation. If you install Chrome with admin rights, then it will put the shortcut in the public desktop at
C:\Users\Public\Desktop. That location is admin restricted.Here is what my office desktop looks like.
-
@BRRABill said:
@scottalanmiller said:
If it is put there by the admin and privilege isn't transferred to the users, of course it would require that.
I guess.
I mean I don't like that stuff on my desktop, but it's kind of personal prefernce. I don't want calls because a user is tidying their desktop.
I don't like them either and don't want them on user's desktops... so don't put them there. If users want a shortcut, let them make their own rather than forcing it as the admin.
-
@JaredBusch said:
FFS this is not that hard, are you IT or not?
Finally, an acronym with some profanity in it!
I think I've just been doing things "my way" for so long, I forget the way things are supposed to really work.
I've said many times that ML has been a real eye opener. I ain't kidding!
-
In thinking about this topic, I too was wondering how BRRABill hasn't run into this admin issue long ago.
But then I recall that he said that he and all of his users run as local admins since the beginning of time. and well, of course, if you've never not been a local admin, then there's never been anything you couldn't do. So why would you know about it?
With the advent of UAC, some things are a little more in your face making you more aware that you are using admin rights, but that anyone should really understand that these UAC prompts means this shouldn't just be assumed either.
it's like Scott's RSAT bump-upist. Running into IT personaly who've never heard of it, let a lone used it.
-
Deleting items from the public desktop since Windows 7 for certain, and probably Vista has popped a UAC. So even if you are a local admin, you still had to click through a UAC to do it.
-
@Dashrender said:
In thinking about this topic, I too was wondering how BRRABill hasn't run into this admin issue long ago.
Yeah, we are discussing this offline. More or less, he's never run as or used a Windows user account, only admin ones, and I think by extension, only managed ones where the "users" were admins, too. So the common end user scenarios that we have a hard time imagining not having seen have never come up.
