Home Forums Windows 7 Home Premium "Main" - Standard or Admin

In terms of user account privileges, should the "main" computer be a Standard user or Administrator on Windows 7?

I will be way in the minority, but I actually allow my users to have LOCAL Admin privileges. You can still use NTFS permissions to lock down folders.

I know it opens you up to downloads and viruses, etc. But, you can use group policy IF have Active Directory on a server. It just seemed like I was constantly having to Run As Administrator whether to troubleshoot, fix or work on the computer.

That's one opinion.

Now, everyone else will tell you not to.

Thanks Bert. I have the "main" computer running in a virtual machine (Parallels) from of a Mac. Hence, the user on the "main" computer will not be using Windows for anything besides Amazing Charts -- no Internet Explorer.

With this being the case, I feel I should clarify my question. What privileges are needed *only* for Amazing Charts on the "main" computer?

Shouldn't need anything but user privileges after the initial install. For some reason you have to start by Run As Admin from the folder even as a domain admin, but after that, you should be all set.

Let me be the first to tell you not to. Bert has already given reasons why. Furthermore:

* If users are local admins, they can override any NTFS permissions you have given to limit their access to files/folders on that computer.

* If users are local admins, they can override any Group Policy settings you have given them.

Rule of Thumb: You can NOT deny an administrator. The ONLY account that has any power over users with administrative rights is the built-in account known as Administrator. And the only power it has over users with administrative rights is the power to revoke their administrative status.

To be honest, on a network that is set up properly, you should rarely have to log on as administrator, anyway.

JamesNT

However in the real world it is generally not practical. SBS 2003 makes users local admin?s by default and 2008/2011 makes it easy to do so. If you don?t make them admins, the admin has to logon to update Acrobat and every other nuisance application or driver. Generally you keep the server and data safe and take the risk with the workstation. NEVER make them domain admins. Still the best practice, if possible is to keep them as basic users.

True, you can restrict a local administrator with NTFS just like a user, but an administrator can take ownership of a folder and then change the permissions. But, why would they? There should be NO data on the PC. Not only that, the average user is not going to know how to take permission of a folder. AND, it is one thing to change your wallpaper, but quite another to make an actual permission change to a folder where the folder clearly shows their name as the owner.


No they cannot.

I will have to admit here that I have never tried this, but I do not think this is true.

The built-in administrator account often referred to as a 500 account is almost NEVER used by an admin. It has a few extra powers than a domain admin, but they are basically the same.

Not true. Local admins are trumped by domain admin, domain admin is trumped by enterprise admin.

Very true, in an ideal world. Microsoft best practices state you should never work as an administrator and you should never log onto servers, but rather use RSAT (Remote Server Administrative Tools). And the law says we shouldn't drive over 65. What we should do and what we do do are two different things. There are sites where users are just users and somebody has to install every application and update for them. I can't stop seeing patients every time Adobe wants to update or Firefox has a new version.

Bert,


You are agreeing with me enough here that I'll not comment to much on this. I would point out that I use group policy go push out Adobe Reader, Adobe Flash, and Java Runtime updates.

Example:
http://community.spiceworks.com/how_to/show/549


Deleted at the request of the user.


Yes, they can.

http://blogs.technet.com/b/markruss...circumventing-group-policy-settings.aspx


The local administrator owns the machine. The only account more powerful than a user with administrative rights is the built-in Administrator account itself. And, as I stated, the only thing the built-in Administrator account can do that a user with administrative rights cannot is revoke Administrative rights. The built-in Administrator cannot have its rights revoked and cannot be deleted. But users with administrative rights can revoke each other all day.


For local workstations, this is true. Most IT Admins will simply log on as the Domain Administrator. In fact, when an XP Service Pack 2 or higher machine is a member of a domain, you can disable the local built-in Administrator Account using Group Policy.

Depends on if the machine is a domain member or not. I should have clarified. My apologies. You are correct if the machine is a domain member.


I suppose sooner or later simple pragmatism wins. At this point, we agree enough and I see the pragmatic decisions you are making enough that we have run out of issues on this topic to argue over.

JamesNT

James,

You keep forgetting one thing. You are a high level IT person. You keep thinking like one when you think of other users. Most users do not have near the technical know how that you do.

You are getting into the never say never or nothing's impossible area. Not too sound stupid, but I don't know how long it took me before I knew Run -- regedit. And, I certainly didn't go mucking around in HKLM too often. An employee at any level making registry changes on an office client computer would be flirting with disaster to quote Molly Hatchet. There are a few places that GPOs work, but I am just not that worried about someone finding how to block them.

Two issues with your pushing out updates. That is just not something that physicians do. This is at the level of Professional Data Management, Inc. The average physician is just not going to do that. And, you can use WSUS all you want but there are just going to be instances where you need to do something on a computer that is simply more easily done by the user. Just turn on UAC on ten computers that needs admin authentication and find out how many times you find yourself needing to do that. Yes it makes the computer safer, but at some point it is like anything else: Risk/Benefit. The other things most networks being used with AC don't have the capacity for using GPOs. This is where the false believe that having a client/server is really a domain network. It's not. It doesn't have Active Directory and GPO and OUs, etc.

Think about this. If all of us doctors could do all of these things, you wouldn't have a job.

Paragraph deleted.

Out of this whole discussion, but biggest piece of advice to you would be to go to your post as fast as you can and edit this line. I would try writing Most of the staff that I see at most practices....

ghee22,

I just realized that we actually didn't address your actual question, which was should you run your "main PC" as local user or admin. Here is the answer:

You do not even have to log on into the computer to make SQL server runs. SQL Server will be running as NETWORKSERVICE or SYSTEM account.

SQL by itself has a built in backup function but you will not be able to access it. He can set any account with adequate privilege to copy these file out with having to use Admin account.

Just follow general rules of thumb on server security. Do not use administator or high level account unless you really need to.

I can help you with this.

Wow. This thread woke me up quicker than chai! First of all, big thank you to both Bert and JamesNT. Even with Bert's clear cut answer, I realize that there is much background to consider when making this decision. I have learned a great deal, again, thank you.

For my situation, since the Windows 7 "main" computer -- not on a domain -- will not be used for anything except Amazing Charts, I will have it be run by a "standard" user.

I will do the following steps.
1. "Main" running on Windows 7 Home Premium inside of Parallels on Mac.
1a. Install via Administrator. Open up SQL Port on firewall.
1b. Add new "standard" user. This will be the account that is used.

2. "Client" running on Windows 7 Home Premium inside of Parallels on a *different* Mac on the same network.
2a. Install via Administrator.
2b. Add new "standard" user. This will be the account that is used.

Any thoughts?

Sounds fine to me. I have no experience with Parallels, although I do know what it is.

You can always start with standard user, and if there are issues, move to admin.

One piece of advice. There are many, many users on here that use WIN 7 Home Premium in a non-domain client/server (P2P they would call it) who can give you the experienced answer.

By the way, everyone, that comment I made above that Bert pointed out to me was a pretty stupid move to make. Apologies to all.

JamesNT

Everything works! Thanks for all your assistance. I was able to get everything work under standard users on Macs, as well as standard users on the Windows 7 virtual machines -- that includes the server and client!