Restricting local admin account rights RRS feed

  • Question

  • I work for an MSP and our policy has always been no local admin rights for anyone (for obvious reasons).

    Recently we've started getting pressure from one of our clients to allow their Dev team to have local admin on their machines - claiming they cant do their jobs without it. It doesnt happen often, but occasionally they call up asking to have Software X installed / something updated / whatever, and we'll do it straight away, no problems. Anyway, they dont like doing things this way and would rather be able to install their own software/updates/etc. Which I guess is not an entirely unreasonable request from a Dev team.

    Anyway, we've discussed it here internally and it's a pretty firm no, your not getting local admin. But we still want to keep the customer happy, so looking for alternative solutions.

    One idea we had was to create a second account for each of the Dev users (user1.admin or similar) and add that account to the local admins group on their individual computers. Would it be possible to restrict that account to the point where they cant login to the desktop and only use it to RunAs? I wouldn't be so worried if there was a UAC prompt / actual thought going into it every time something was happening as admin. Obviously our contract with them would need to be updated to include "with great power comes great responsibility - don't break stuff!"

    Or is there a better way? How does everyone else deal with users who "need" more control over their machines?

    Tuesday, August 29, 2017 4:09 AM

All replies