Question for the NT/2K sysadmins out there... In a domain login environment, what additional security risks (*if* any ... I'm not convinced there are, though) might a company be exposing itself to in giving Win2K/NT users LOCAL administrative access? One current plan is to migrate users into the domain w/the Win2K rollout; user will log into the domain, but his/her domain account will be made a member of the LOCAL Administrators group, allowing full control over the local system (of course, this'll only be the case for sytems with only one user). There have been misc. grumblings that such a plan decreases network security overall - yet when pressed, nobody can explain why. Myself, I don't see any additional security risk w/such a plan. Perhaps there may be more room for users doing "damage" to their own systems, but these elements can hopefully be controlled by group policies. Thoughts/comments? - NetARC

What you are describing is often done to make administration easier. What you probably run into is that users want to do stuff like change their background, screen saver etc, and bug you when they can't. Or, they want to install some application they like, like the Webshots screen savers etc. The problem with making them administrators is that they do have the ability to do whatever they want on their pc, including installing applications. Some applications may do things on your network that you don't want, like trojan horse programs etc. I'm not necessarily saying not to make them administrators, I guess the question is whether or not it is required and why.

Overall you won't have a huge risk. I mean, if a user that is working in the company decides they want to hack something, well, there's not much you can do, they'll get in some way. Just make sure your employees are aware that they shouldn't go "outside the box" and that certain things aren't allowed, and some are considered illegal (like child porn). Other than that, the downside of making the users local administrators is that they have free reign on their machines. This means they can install whatever they want, which could be anything from RealPlayer, to the latest hacker's tools, to some hacker's trojan. I'd say that 89% of the users out there wouldn't be able to do anything destructive to the network with local administrative rights on their machines. On the up side, tell your people it will be easier to fix some problems because you can walk the users through things over the phone without having to worry about rights and privleges. And your users can install their own software without having to track down IT people. It will also make it easier to roll out upgrades because you won't have to worry about permissions at all. Overall I'd push for setting up the user with local administrative rights (of course, you'll also have a local Administrator account in case you need to get into that box if it has major problems). I'd worry more about forcing people to change their passwords every so often, because that's the key security problem I've always faced. If someone doesn't have rights to do something I've always seen users just "borrow" someone else's login to do something, and most have their name and password taped to the side of the monitor! Ok, I'm gonna stop babbling now, too much cafeine......