Tranquil IT Forum

gaelds wrote: ↑June 24, 2023 - 8:44 AM Hello,
Similar problem in our vocational high school. Companies ask interns to bring a PC, either to use our Autodesk/Solidworks Education licenses, etc., or to install their own business software. Sometimes these PCs even end up being joined to the domain of the company hosting the intern. They therefore need administrator privileges on the workstation.

dcardon wrote: ↑June 26, 2023 - 11:02 Hello Julien,

jdziadek wrote: ↑May 31, 2023 - 10:12

vcardon wrote: ↑May 30, 2023 - 11:02 PM What software do you need to put your users into restricted access and offer them self-service software installation?

Can we collaborate to achieve this goal?

The problem is that we don't know at all; we have many teacher-researchers who test software to see if it can meet a need, so they may need the software to test it and possibly never come back to it.

It may not be possible to remove local admin rights from all teaching staff, but we've seen other schools that have successfully removed them for the vast majority of users with a well-populated self-service system. In fact, by explaining the risks associated with this account (particularly the increased risk of ransomware attacks) and the limited benefits if the self-service system is full, it's possible to get a lot of people to accept the change.

Beyond simply switching to local admin privileges, from a security standpoint it's best to avoid having the main user account as a local admin. Instead, create a separate local account on the same machine that can be used occasionally for installations, but not for daily use. If this account is local and doesn't have access to network resources, etc., it prevents users from using it daily, thus encouraging them to prioritize their restricted-privileged accounts.

Sincerely,

Denis