Kaseya Community

Desktop local admin rights

  • Hi
    A general question - what level of permission do you give your clients for their desktops?
    do you set their users as local admins? if so, how do you (via kaseya) prevent them from killing their machines?

    do you keep them as standard or power users? if so, do you find they are often calling for silly things because they have no permission (add a printer, small system setting change, etc)? have you found that by not giving local admin rights certain apps don't work properly?

    I'm looking for any advice/thoughts you can provide on this topic. Thanks.

    Legacy Forum Name: Desktop local admin rights,
    Legacy Posted By Username: morristabush
  • Unfortunately, local admin seems to be the norm, even for a certain very massive client we occasionally subcontract with...

    The practical difference between a local power user and a local admin I think is diminished a lot when there's a domain involved.

    Our practice, is to grant local admin only if required by some application. Normally we set them up as standard users. We'd actually prefer to do the printer installs ourselves, so we can keep track of what has been changing on their network. "Small system changes" made by the users tends to be the cause of broken computers anyway...

    How often do they need to install a new printer? Many medium+ sites will have a designated user or two that have access to an empowered domain account for (re-)installing software or printers.

    The BUDR section does have the ability to undo any changes made to the local file system, though you don't want to do that unless everything is saved to the network, or at least to a different partition. ("autorecovery" option if you want it on a schedule.)

    If the desktop user is also paying the bill, then the first repair bill is usually all it takes to prevent them from doing any further harm to the computer. Just bill them at the full rate and mention that it was a result of tampering (don't point the finger, they already know).

    Legacy Forum Name: General Discussion,
    Legacy Posted By Username: dwujcik
  • For the most part we strip admin rights from normal users. There are of course exceptions... we base those on application need first then if a user requests it, it depends on the user, and they have to get their POC's OK. So that said it's a hard transistion for some users that are used to doing/installing what ever they want... it takes a bit of time but they normally submit to the fact that they aren't going to get it any time soon.

    Legacy Forum Name: General Discussion,
    Legacy Posted By Username: thirteentwenty
  • We go the other way, but our market is mainly small business across multiple verticals. There is only 1 plan that we offer where installing applications for our customers is included in the plan, so not allowing them to install their own applications would either require us to change our plans or would make me feel like I'm gouging our clients.

    So all of our customers have local administrator access. We have a three strikes policy for virus cleanup. The first virus we clean up as a result of user issues we let them know about the policy.

    The second virus we clean up as a result of user issues, we let them know that we've notified their manager. (And we notify their manager of what will happen with the third strike).

    The third virus we clean up as a result of user issues, we no longer clean viruses as part of our plan for this company.

    Legacy Forum Name: General Discussion,
    Legacy Posted By Username: Intech-Jason