|dippncope, thanks for your post. I've started a thread like this on another forum too and have found that for every person who is vehemently against granting local Admin rights to a domain user there is someone who can make a compelling arguement in favor of it. |
I personally like the ease of setting up every domain user as a local Admin. We run several programs that require the user to have local Admin priveleges so you can imagine it is easier to set the users up with admin priveleges then it is to try to workaround the programs' limitations. There are a number of problems solved and less dependency on IT when the users are set up as local Admins too.
On top of that we have not had one issue that's resulted from someone with too many rights (Admin priveleges) on their local PC.
That said, I think the odds are against us being so lucky for too much longer. I identified the workarounds I will need for 90% of our users and plan to downgrade all local user rights.
Because of the change I won't need to adjust the local admin priveleges from the specific domain user to Interactive User or Domain User. But while we're on the subject I learned that the Interactive Users group includes local Guest logins . . . which could be a problem. I also learned that the Domain Users group is not a fitting choice in a multi-domain environment. The right choice for granting local Admin priveleges to everyone while maintaining some level of security is to use the Authenticated Users group.
Gotta run. Thanks again.