Users without Admin Rights

Users without Admin Rights
Often, users are given admin rights on a computer because individual programs won’t work otherwise. This has been common practice for years, but it brings with it many problems, such as an increased risk of malware. In most cases, extended rights are not even necessary. Windows offers enough possibilities for users to work with the system even without admin rights.

In most cases, it is not necessary and does not make sense to give users administrator rights. First of all, it should be analyzed why the admin rights are necessary. Then, exactly those rights should be assigned that require access to a particular program.

Admin rights for individual programs

In Windows, the “Compatibility” tab in the properties of shortcuts for programs is available for this purpose. By activating the “Run program as administrator” option, it is possible to specify that this individual program is run with administrator rights. This way, individual programs can be started with increased rights without having to give a user administrator rights right away.

Increased rights through group memberships

Windows 10 also still has a local user account control and a local user administration. The local user administration is started via “lusrmgr.msc” in the search field of the Start menu. In addition to the administrator’s group, other groups are also available here. These can still be used in Windows 10. Although the “Power Users” group should no longer be used in Windows 10, they still offer increased rights without immediately granting complete admin rights.

READ:  What Is Risk Analysis in IT?

“Network Configuration Operators” are used to delegate administrative tasks that affect network configuration. Members of this group have limited administrative rights to configure the network, but not full rights for the whole PC.

Members of the “Remote Desktop Users” group are allowed to establish a remote desktop connection to this computer. Those who are members of the “Replication Operator” group have the necessary rights to start the directory replication service.

“Backup operators” can backup and restore files. The members of this group have all the permissions required for backups and restoring backed up information.

Rights of an administrator compared to power users

The local “Power Users” group on workstations and servers has almost similar rights to the local administrators. However, the following rights are reserved for administrators of a computer or server:

  • Change user rights
  • Unlocking a computer
  • Increase process priorities in the task manager
  • Shut down a system over the network
  • Taking ownership of objects
  • Installing and configuring hardware and drivers (however, power users are allowed to install printers)
  • Changing system files
  • Changing password policies
  • Changing monitoring policies
  • Configure local event logs
  • Installing local system services
  • Installing service packs and patches on local machines
  • Upgrading the operating system to a new version
  • Creating administrative shares
  • Creating additional administrator accounts
  • Modifying groups and users that were not created by the user himself
  • Remote access to the registry
  • Stopping and starting services that are started automatically
  • Managing disk quotas
  • Format disks
  • Adjust system related environment variables
  • Accessing other profiles
  • Backing up and restoring files
READ:  What is Command-and-Control Servers (C&C Servers)?

Rights of a power user compared to users

Power users have fewer rights than administrators, but significantly more rights than normal users on a local system. Power users are allowed to perform the following tasks, which are denied to normal users:

  • Create local groups and users
  • Modify self-created groups
  • Create and delete shares (not administrative)
  • Create, manage, delete and share local printers
  • Changing the system time
  • Stopping and starting services that are not started automatically
  • Change permissions on the Program Files folder
  • Changing various registry keys under HKEY_LOCAL_MACHINE\Software
  • Write access to most system directories
  • Installing programs
  • Changing system settings such as IP address and other system-side components

Permissions for directories are often sufficient

When a user is unable to open a particular program, it is often due to a lack of write or read permissions for various directories. In most cases, the problem lies with write permissions for the directory in which the application itself is installed. This is usually a subdirectory in “C:\Program Files” or “C:\Program Files”. In addition, there is the corresponding registry key under HKLM\Software.

If the rights for the appropriate user are adapted here over the context menu, and he receives write rights, the work with certain applications and directories represents usually no more problem. If users are given “Modify” rights for a program directory and sometimes also for the local temp directory, the problem should be solved.

READ:  What is Perfect Forward Secrecy (PFS)?

Delegating rights via group policies

You can also delegate rights via group policies. This is useful if users should have access to certain directories on a computer. The corresponding settings can be found in the group policy administration via “Computer configuration \ Policies \ Windows settings \ Security settings”. Numerous settings are also available here via “Local Policies”, which help to control user rights in Windows.