In short, I would like to ask your recommendation as an expert with regards to this situation. I need to provide proof to my seniors and employees of best practices for network security. It would be a big help to bring an end to this "power hunger" of some employees.
If all else fails though, I then work under the basic premise of the most restrictive rights possible. So before I make a user a local administrator, I will check and see if they can do what they need to do as a power user. Before I make a user a power user, I will check to see if I can grant specific rights to the user (or more practically to a group the user is a member of) or specific rights to the appropriate registry keys or files.
The bottom line here though is that you are 100% correct in how you are approaching this issue, and unfortunately this is one of the more unpleasant aspects of security administration. Your best weapon is the ability to demonstrate how the users can perform all of their required business responsibilities at the lower privilege level. Good luck!!
Dig Deeper on Enterprise desktop management
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.