I'm not a sysadmin, but I've been given the task of auditing and finding better ways to manage local admin rights in our organization. I've done some research and understand the options available, but I'm confused about how helpdesk personnel can perform necessary tasks like modifying the registry, uninstalling applications, and using Device Manager without being granted temporary local admin rights. Is everyone expected to log into a specific account every time they need to do something? Also, we have applications that require users to install them personally. Should we approach this with application whitelisting instead? Any insights on handling registry edits or using component services while keeping security in mind would be greatly appreciated. Currently, I'm considering options like 'Make Me Admin', 'Admin by Request', and GPO restrictions, but I'm unsure what the best approach is.
5 Answers
I recommend keeping admin access separate from daily tasks. In our company, tech staff has a regular user account and a separate admin account for installations. This way, there is less risk of misuse. We’re currently looking into Privilege Elevation Management solutions for streamlining this process. Until then, if a user needs something, they submit a ticket, and we assist or install remotely.
Yes, many people end up using the specific admin account each time they need access. If helpdesk needs to do something frequently, a tool like Auto Elevate is worth looking into for managing these permissions while reducing risk. Ultimately, it’s about striking a balance between convenience and security. If something goes wrong, are you prepared to handle the consequences?
We make use of Delinea Privilege Manager to auto-elevate certain installers while still controlling what users can do. It was easy to deploy thanks to professional services, which made things smoother. The focus now is reducing the number of local admins significantly and transitioning to a stricter model. The fewer people with admin rights, the better we can secure our systems.
Definitely! It's all about making sure only the right folks get access when they truly need it.
It sounds like there’s a need for clear policies within your IT department. Ideally, only devs and sysadmins would have local admin rights. If that’s not feasible, consider letting users submit requests for admin access as needed. However, this can be a temporary fix, and it might be worth exploring how you can manage their systems without giving them those rights directly. Sometimes it's as simple as deploying the tools they need and handling installations through a support ticket system.
You’re spot on about the ticket system. That's how we manage it too—users just submit a request, and then the support team takes care of the installations after getting approval.
Absolutely! It’s all about setting up the right processes to limit admin access while still getting things done efficiently.
While some local admin access can be necessary, managing risk is key. Avoid giving blanket local admin rights; instead, research your software needs and consider centralized solutions wherever possible. By being proactive and adjusting permissions based on real software requirements instead of assumptions, you can minimize potential problems down the line.
Nice! Auto-elevating can really save time and enhance security—one of our clients did this too and saw fewer issues.