3

I am looking for possible solutions to prevent local administration privileges for our domain users. Currently, we provide our domain users local administration privileges to avoid issues with different applications. Some applications will not start or work correctly without local administrator privileges.

Now I am interested in the current state of the technologies or best practices to avoid those kinds of permission. For example, we would like to restrict the local permissions and forbid the installation and execution of untrusted applications.

I've found the Software Restriction Policies and AppLocker as well as MDOP from Microsoft.

Which technologies and best practices could you recommend?

EEAA
  • 110,608

2 Answers2

2

Use processmonitor and allow right only where they need them. (aka file registry hive and file folder) This can be done via gpo to give thoses kind of permissions. Did that for acad in exemple, and now that work good without admin right.

Be aware this is a long process.

Edited: Test out App-V if you can too, the application run like it as admin right as it's all pre-cached. Thus like if it write in c:\windows it's redirected in it's cache.

yagmoth555
  • 17,495
1

What yagmoth555 said. We used this--it grants administrative privileges to processes, not users. (I was primarily asked to grant those privileges to software installers.) Before we had that, we experimented on which directories/registry keys/etc. needed to be writable by users for specific software to run, which usually (but not always) worked.

I will say, however, that the best way to prevent users from installing crud on their workstations is something like:

$AcceptableAdmins = "YourDomain\Domain Admins", "YourDomain\Someuser", "YourDomain\Someotheruser"

$members = net localgroup administrators | where {$_ -notmatch "command completed successfully"} | where { $AcceptableAdmins -notcontains $_}

foreach($member in $members)
{
net localgroup "power users" $member /add
net localgroup administrators $member /del
}

(I suspect that's not what you were looking for, but in my experience it's the most effective.)

Katherine Villyard
  • 18,618