Power User Rights

Question

Power User Rights

easn 0

Team,

I want to use power user right concept and want to create a single admin account. I want to convert the current admin accounts in to Power user accounts to limitize the admin rights of the user for accesing and installing applications and softwares.

Please assist me how can i use incorporate that?

2 answers

Your answer

Answer 1

Michael Taylor 60,161

While I don't understand your specific use case, the solution it appears you are trying to go for isn't recommended. Power Users, by design, went away as no user needs that much power. The Administrators account, which is always available, combined with UAC helps ensure that users that need admin level privileges get access. But few users should have this permission. The PU group historically had almost as much power as Admins and so was a security risk. It is like granting people admin rights without being able to use UAC to prevent malicious code from using it.

The recommended security approach is Least Privilege. Ideally a user never needs permissions to do privileged work in their normal account. Hence they are normal Users. If you really need to grant some users privileged access then the correct solution is to create one or more groups with the minimal privileges needed. For example you may need a set of users to muck with network settings so create a Network Manager group. Grant that group the minimal privileges to manage network stuff. Then add users to that group who need access. Do this for each set of privileges based upon user sets. Now you can grant users access to just the subset of permissions they need.

In the rare case where you need admin level privileges for a user then ideally have them log in to a special account rather than their regular account. If they rarely need that level of access then this prevents them from running, normally, with more privileges than they need.

easn 0 Reputation points

2024-11-06T15:39:19.3+00:00

I have multiple users from development team,field team,and network team they always asking for admin rights for their machine and want to reduce or remove that practice without impacting their work and development. How do I remove their administration rights as their work will impacted if converted them in standard users. What are the alternatives?
Michael Taylor 60,161 Reputation points

2024-11-06T16:13:49.08+00:00

Developers, in general, don't need admin privileges except to install software and debug low level stuff like services. Everything else can be done w/o admin privileges. But it is a pain because a lot of the tools require elevated privileges. I cannot answer to why your field/network teams need privileges but if it is just to install software then they are likely going to need admin privileges as well.

In that case there is no benefit in creating a custom group. The benefit of the admins group is that UAC, which you need to ensure is on, will keep them as standard users until they do something admin-like. At that point they get a confirmation so they know they are doing something sensitive, the work is done, and then they are back to standard user. This is the most secure approach and shouldn't be worked around.

Creating a custom group (PU or otherwise) means UAC doesn't work anymore AND the users will ALWAYS have the permissions you grant them. Since installing software generally requires access to sensitive files and registry entries then they will basically always be running as admins because UAC can't work here. You have circumvented the security barriers.

The best option is to eliminate the need for admin privileges. Like I said, devs don't technically need admin access except when they are installing software. You could remove their permissions but they'll complain and you'll spend a lot of time helping them. For the field/network teams that need to install software only then you could create an AD group for this but some installers require admin privileges and there is no workaround. Creating an AD group with custom privileges and then putting it into the local Admins group is no different than just giving the users admin privileges.

Here's a link to another discussion with a similar problem and ultimately the same conclusion - https://learn.microsoft.com/en-us/answers/questions/153336/best-practice-security-group-for-software-installa
Michael Taylor 60,161 Reputation points

2024-11-06T16:15:06.2766667+00:00

Forgot to point out, if you are just trying to manage the users without having to go to each machine then create an AD group with the users and then add that AD group to each machines local Admins group. But devs probably shouldn't have admin privileges on machines other than their own and using an AD group would allow that.
easn 0 Reputation points

2024-11-06T17:21:02.0166667+00:00

My task is removal the admin right from the user level and grant required access without admin right, keeping in mind end user task won’t impacted whether its developer or network user or field user who is accessing the network over VPN.
Michael Taylor 60,161 Reputation points

2024-11-06T18:04:01.0466667+00:00

You cannot remove admin rights from users and still allow them to install software unless the software allows per-user installations. It doesn't matter what user groups you create to replace the admin group. Installers that require admin privileges look for membership in the Administrators group. There is nothing you can do about that.

If none of the apps you need to allow installed require admin privileges then normal user accounts will be fine. You'll have to review each of the installers you expect them to run.

Alternative to having users install their own software is to auto-install software and updates using group policies. This would handle common things like ensuring dev machines have the latest VS updates installed (which supports admin installs without users having admin access) but you'd need to work with your dev team to ensure everything they need is on the list and kept up to date.

Answer 2

easn 0

can network users access VLAN in suggested solution? Will power user a perfect solution or there is any other alternative solution?

Share via

Power User Rights

2 answers

Your answer