Tuesday, August 5, 2008

Give Logged In User Local Administrator Rights

In our small company we trust our users and would like them to be local administrators on their computers but limit network access to other workstations.

Grant built-in Interactive group local admin permissions. At command line type "net localgroup administrators interactive /add"


In a company with a small trusted user base it may be tempting to just grant the "Domain Users group" administrative rights on all the workstations. This allows users to install their own software when needed and reduces the workload on administrators that have to setup administrative rights for individual users on each computer. On the other hand even if you trust all of your users it is not such a good idea to just give blanket administrative rights to all the workstations. In that case, if one user gets malicious software on his computer, that software now has access to all the other workstations as well.

Interactive is a built-in windows group that allows you to give specific rights to the user account that is currently logged into the computer. However if you look under you local groups in the GUI you will not see such a group or user listed anywhere. I think of Interactive as more of a variable or a place holder for whoever it is that is currently logged in.

By adding Interactive to the local administrators group, anyone that is logged in interactively (using Alt-Cntl-Del to log in) at that computer will have administrative rights. When they logout of that first computer and login somewhere else they will no longer have administrative rights to the first computer over the network.

You can give the Interactive Users local administrator rights using the GUI. You need to open a command prompt and type the following:

net localgroup administrators interactive /add

No comments: