We currently have all our users as local administrators. A couple of years ago
we attempted to restrict our desktops, but fail short due to particular
applications requiring local permissions while the user themselves were logged
in.

We continue to fall flat when applications we do not want installed, example:
Google Toolbars, google earth, and Google search (most recent events).

The problem is that there are several web-based applications that are used
throughout our office that require installing plug-ins, Palm devices that
require administrator permissions to install, and other situations where the
past attempt failed.

The Run As does not always seem to be a valid option. Programs like the palm
will write several entries under HKCU, so logging into the workstation as admin
is not an option.

I have made several forum posts where people have question why we are using
Administrator permissions on our workstation. Am I missing something here?

Thanks,

jeffh wrote:
> We currently have all our users as local administrators. A couple
> of years ago we attempted to restrict our desktops, but fail short
> due to particular applications requiring local permissions while
> the user themselves were logged in.
>
> We continue to fall flat when applications we do not want
> installed, example: Google Toolbars, google earth, and Google
> search (most recent events).
>
> The problem is that there are several web-based applications that
> are used throughout our office that require installing plug-ins,
> Palm devices that require administrator permissions to install, and
> other situations where the past attempt failed.
>
> The Run As does not always seem to be a valid option. Programs like
> the palm will write several entries under HKCU, so logging into the
> workstation as admin is not an option.
>
> I have made several forum posts where people have question why we
> are using Administrator permissions on our workstation. Am I
> missing something here?

Very few applications (if any) truly need full administrative rights to
*run*.

Sure - they may need write permission to a select directory or three.. They
may even need certain special rights to some registry keys/values. But very
few are still so badly designed that they will not run or configure under a
regular user account after they are installed.

If you are saying you are having trouble because those in your office need
to install things frequently - that is a whole different story. That is
handled by policies - political policies. This means the management of the
company in question has to allow the IT department some ability to restrict
what may be on the machine for stability and security reasons - otherwise
there is no real point in the department other than fixing the problems
caused by habving all these users setup as admins so they can install/do
whatever they like.

The google products do not need to have admin rights to run.
Palm devices may require admin rights to install - but not to run.

And I wouldn't want my users installing random devices on the system
anyway - and especially not random software. After all - these are work
machines - if they are always crashing because the user decided Bit Torrent
sounded cool and tried it - then productivity has decreased by at least that
worker. Not to mention the implication of having all admins with
viruses/trojans floatingg around as well as just the amount of spyware that
is better controller with user rights.

You need to discuss this with management of whatever company you work for -
tell them that in order to have better productivity with the equipment you
have - there will have to be some boundaries. You can step over those
boundaries as you see fit - but I would not make it habit.

--
Shenan Stanley
MS-MVP
--
How To Ask Questions The Smart Way
http://www.catb.org/~esr/faqs/smart-questions.html

jeffh wrote:
> We currently have all our users as local administrators. A couple of
> years ago we attempted to restrict our desktops, but fail short due
> to particular applications requiring local permissions while the user
> themselves were logged in.
>
> We continue to fall flat when applications we do not want installed,
> example: Google Toolbars, google earth, and Google search (most
> recent events).
>
> The problem is that there are several web-based applications that are
> used throughout our office that require installing plug-ins, Palm
> devices that require administrator permissions to install, and other
> situations where the past attempt failed.
>
> The Run As does not always seem to be a valid option. Programs like
> the palm will write several entries under HKCU, so logging into the
> workstation as admin is not an option.
>
> I have made several forum posts where people have question why we are
> using Administrator permissions on our workstation. Am I missing
> something here?
>
> Thanks,

I have heard of this type of problem with businesses using XPHome but
not XPPro. There are nine different levels of user permissions along
with
many group policies. An IT is just asking for problems if an employee
is
able to do anything more than their job.