Local accounts for domain users best practice
|
Prev: Remove WMI filter
Next: Search in WSS3.0 in SBS 2008
From: CourtK on 25 Feb 2010 12:21 We have some clients that have the domain user in a local administrator group only, no local account. What are best practices for adding domain users to the workstations? In an environment where the users do not need roaming profiles, is it advantageous to set up local accounts for the domain user? Could not having a local account cause the profile to be volatile? Thank you, CourtK
From: Joe on 25 Feb 2010 12:53 CourtK wrote: > We have some clients that have the domain user in a local administrator > group only, no local account. What are best practices for adding domain > users to the workstations? In an environment where the users do not > need roaming profiles, is it advantageous to set up local accounts for > the domain user? Could not having a local account cause the profile to > be volatile? > The best practice for a Windows domain is to have no local workstation users or membership of local groups at all. Local accounts have no connection with any domain which may exist on the same network. Presumably the customer is using the Microsoft domain model of networking for a reason? The addition of users to the local administrators group makes the computer completely vulnerable to any malware that they might run, and it is therefore considered a poor idea. Unfortunately some companies produce software which can only be run by administrators, indicating extreme ignorance on the part of their programmers concerning the platform they use, and requiring hope and faith that their grasp of the business application is somewhat better. -- Joe
From: CourtK on 25 Feb 2010 13:04 Let me rephrase this, If we want the user to be a local Power User or local Administrator is it best to add the domain user to a local group, with no specific local account, or to add a local account? "Joe" <joe(a)jretrading.com> wrote in message news:e$MuBOktKHA.4752(a)TK2MSFTNGP04.phx.gbl... > CourtK wrote: >> We have some clients that have the domain user in a local administrator >> group only, no local account. What are best practices for adding domain >> users to the workstations? In an environment where the users do not need >> roaming profiles, is it advantageous to set up local accounts for the >> domain user? Could not having a local account cause the profile to be >> volatile? >> > > The best practice for a Windows domain is to have no local workstation > users or membership of local groups at all. Local accounts have no > connection with any domain which may exist on the same network. Presumably > the customer is using the Microsoft domain model of networking for a > reason? > > The addition of users to the local administrators group makes the computer > completely vulnerable to any malware that they might run, and it is > therefore considered a poor idea. Unfortunately some companies produce > software which can only be run by administrators, indicating extreme > ignorance on the part of their programmers concerning the platform they > use, and requiring hope and faith that their grasp of the business > application is somewhat better. > > -- > Joe
From: Cliff Galiher - MVP on 25 Feb 2010 13:49 Don't use local accounts. There is absolutely no benefit and it only makes management more difficult. -Cliff "CourtK" <noreply(a)noreply.com> wrote in message news:B46E2707-AC58-4F56-9AA6-3F13DBF6AF4C(a)microsoft.com... > We have some clients that have the domain user in a local administrator > group only, no local account. What are best practices for adding domain > users to the workstations? In an environment where the users do not need > roaming profiles, is it advantageous to set up local accounts for the > domain user? Could not having a local account cause the profile to be > volatile? > > Thank you, > CourtK
From: CourtK on 25 Feb 2010 14:57
That is not an option. To clarify even more, this question is regarding adding domain users to a local account on a workstation, not the SBS server. "Cliff Galiher - MVP" <cgaliher(a)gmail.com> wrote in message news:283397D5-F0A6-4FA3-AD6F-C74BC5CB06F4(a)microsoft.com... > Don't use local accounts. There is absolutely no benefit and it only > makes management more difficult. > > -Cliff > > > "CourtK" <noreply(a)noreply.com> wrote in message > news:B46E2707-AC58-4F56-9AA6-3F13DBF6AF4C(a)microsoft.com... >> We have some clients that have the domain user in a local administrator >> group only, no local account. What are best practices for adding domain >> users to the workstations? In an environment where the users do not need >> roaming profiles, is it advantageous to set up local accounts for the >> domain user? Could not having a local account cause the profile to be >> volatile? >> >> Thank you, >> CourtK > |