Kaseya Community

Best Way to Limit Workstation Rights ?

  • We would like to setup our client workstations with more limited rights as we move towards a true MSP model.

    Almost all of our existing users are local admins currently.

    We are looking for any suggestions about limiting local rights without affecting client workflow.

    Almost all of our client workstations are in domains, so Group Policies are likely our management tool of choice, although scripts may be used.

    Removing local admin rights completely would be too restrictive for most of our users.

    Any suggestions or Best Practices from MSPs who have or will implement(ed) workstation restrictions?

    Thanks for the feedback!

    Legacy Forum Name: Best Way to Limit Workstation Rights ?,
    Legacy Posted By Username: exceptionalit
  • We tried removing admin rights to workstations a couple of years ago. Failed miserably. Tried Poweruser, not much better. We found the problems that it caused and the frustration that it generated for the customers did not match the benefit of the lock down. A good "computer use policy"(signed by all users), anti-virus (we use KES with link scanning) and a good firewall that does web filtering - combined take care of most issues. We have 60+companies and over 1800 deployments like this. However, We do use admin lock down in certain circumstances, shop floors in production for example.
    www.f1networks.com

    Legacy Forum Name: MSP General Discussion,
    Legacy Posted By Username: jrvandy
  • I'm a non-admin shop here. Yes, users will complain within the first few months of losing their administrator rights. However, it enforces "It's a company computer and the company determines it's use" fact. You just have to convince management it's a good thing. Tell them it's a screw up from Microsoft's past that they've been trying to correct for some time now. Use UAC as an example for them to see. In fact I have it as a requirement in my upper two service levels. It's stops most unwanted software installs, makes it easier to make sure all software and installations are consistant and properly licensed. It also stops most malware in it's tracks since they try to use program files and windows folders. However, I still recommend using A-V too. In fact I have two clients (pliot customers) that have around 65 systems and only one reported virus/spyware infection since 11/2005.

    Legacy Forum Name: MSP General Discussion,
    Legacy Posted By Username: connectex
  • We do believe that removing end-user local admin rights would be the best way to completely control our networks.

    However, many of these networks have been in place for long periods of time and users would be very resistant to lack of local admin rights.

    Has anyone tried limiting specific files, folders or used security policies to control machines?

    We are looking for something in between none and complete end user control over their pc's.

    Legacy Forum Name: MSP General Discussion,
    Legacy Posted By Username: exceptionalit
  • Going from none to total control does take awhile and explanation to the users and the owners of the business. The end result is you have to start with one thing at a time and justify each and every little thing - usually explaining why allowing end users to do things can be a security problem works in my experience, but if the end users have always been allowed to go willy-nilly on their units then it's true they will be resistant and will complain about it ALOT .... We started small on customers like this, made sure they had everything first that they had before, then started blocking websites using OpenDNS, and using Kaseya to block certain Instant Messengers - all the while keeping the owners and Management informed of when and why we were instituting the changes and letting end users know when it would happen and what they can do to have the same functionality (in their eyes) when the new restrictions go into place - all the while maintaining our insistence of whatever the security flaw is/was and why it should be blocked, etc ... the next step was to start creating security groups and then allowing only specific groups to access specific files on the server, but really you can do these steps in any order and eventually you will get to a place where the programs are uniform across a business and locking them down completely becomes much easier at that time.

    Legacy Forum Name: MSP General Discussion,
    Legacy Posted By Username: TBK Consulting