When a user buys their own computer and sets it up for personal use, they are the administrator of that device and can do whatever they want with it. They can install anything and change whatever settings they want – without the need for approval or review.
In a corporate environment, that should not be the case but unfortunately – is seen more than IT professionals like. This is usually as a quick fix to solve a request like software installation or settings that they need changing, like network adapter configuration.
When it’s pointed out as something that shouldn’t be applied and is then taken away, end users get very upset. They see their corporate devices with the same idea as their personal devices. End users that have administrator rights tend to install personal software like Steam, Spotify and Discord and begin to use it for both work and home. This opens massive security holes as if they choose to download and install malware and the security solution isn’t up to standard – it’s a bad time for IT.
Smaller companies sometimes insist that all users have local administrator rights but can never give a definitive reason as to why, other than to make life easier for the end user.
Security software for malware attacks are usually good enough but the best practice is that of least privilege. A user needs the minimum access to correctly do their job and no more.
In previous roles I have seen all managers be set as domain administrators – against the guidance of the IT team. This was because managers needed to be able to make changes for users when necessary. A new manager would join and be added to the DA group, just because of the job title. The rights were taken away and no one noticed – except for one, who tried to install software for personal use.
The other side of this is some people do need a level of administrator rights on their computer, a common one is the ability to make a change to network adapters. This is asked a lot from our field engineers that need to check network routing ect.
To keep in line with security compliance, we cannot give local administrator access to their account or another account. To find a middle ground, I created a component in Datto RMM ‘Allow Elevated Access’.
It ran a very basic Powershell script that added their Entra ID into the required local group. These groups allow for elevated access over aspects of the operating system, rather than full local administrator.
# Replace "user@netteam.co.uk" with the user's UPN (User Principal Name)
$userUPN = "$env:UPN"
$groupName = "$env:Role"
# Add the Azure AD user to the local group
Add-LocalGroupMember -Group $groupName -Member ("AzureAD\" + $userUPN)
# Get the members of the group
Get-LocalGroupMember -Group $groupName 
This component gives the technician to grand limited access to a technician or end user
Event Log Readers – Can see all entries within Event Viewer
Hyper-V Administrator – Can run and manage Hyper-V on the local device
Network Configuration Operators – Can change network adapter settings
Power Users – Is the highest you can go, without being an administrator
Members of the Power Users group can:
- Install programs that do not modify system files or install system services.
- Change system-wide settings that do not affect other users or core security.
- Create and manage local user accounts (except for administrators).
- Create, modify, and delete files in the Program Files and Windows directories (with some restrictions).
- Run legacy applications that require elevated privileges.
Power Users cannot:
- Install device drivers.
- Access or modify files owned by other users.
- Take ownership of files.
- Modify system services or security settings.
- Access the registry in protected areas.
This way you can grant just enough access, for people to do what they need to – rather than handing out administrator permissions.
This component runs from RMM and uses the Entra ID meaning that the device doesn’t need to be connected to the domain controller to pickup this change.