changing from admin to lua

Discussion in 'other security issues & news' started by beethoven, Nov 30, 2008.

Thread Status:
Not open for further replies.
  1. beethoven

    beethoven Registered Member

    Dec 27, 2004
    One department in our business has been running all pc as admin accounts in the past. Nobody there really needs to be an admin and should only be able to use the installed software as is.
    What is the procedure to change them to limited users now? Are there any issues with doing that and would I do that via control panel/user accounts - setting up new user accounts and change the password on admin or is there a different/better procedure?
    Also, with respect to the currently installed software, should I expect any issues for the users when they log on in future?

    I am not concerned with what is installed now (I will check that carefully) but I want to prevent new software to be installed willy nilly or changes to be done by malware using the admin account.

    I also read on this thread something about other software that reduces rights of users - can someone please point me in the direction? Is this something else I should consider?
  2. nick s

    nick s Registered Member

    Nov 20, 2002
    One easy method to lock down existing admin accounts would be to create Software Restriction Policies (SRP) and apply them to all users including admins: Using Software Restriction Policies to Protect Against Unauthorized Software. SRP can be toggled on/off easily. It would involve less setup time than downgrading or creating new users and then making sure their software environment continues to work as expected.

  3. ParadigmShift

    ParadigmShift Registered Member

    Aug 7, 2008
    Here are three wonderful links:
  4. Cerxes

    Cerxes Registered Member

    Sep 6, 2005
    Northern Europe
    If this has been done for a longer period, I suggest that you and your colleagues even schedule for formating and reinstall the OS during a low-activity period, i.e. if this is possible. Creating new restricted accounts should preferably be done on a new and clean system. Check the used applications on one system first for confirmation that it works, before applying to the rest. If there are some problematic applications, locate the registry keys/files and change the permissions.

    If you simply want to prevent new software from been installed, then you could easily apply SRP as nick_s suggested.

Thread Status:
Not open for further replies.