EMEA Endpoint Management and Mobility Group (EMM)

All,

We are in the middle of transistioning from DS 6.9 to ITMS7.5 and was wondering how everyone remove's or add's user's admin rights.  Now I may be showing my newness with the new management console but I didn't see an easy or automated way to complete this out of the box.

We use to just run a simple script that used the DS token, see below for an example.

net localgroup administrators %#express!computer@logged_on_user% /delete

Finding using these variable in the new system to be a bit more difficult and honestly it would be nicer to find a better solution or hear how others are doing it.

Any suggestions or recommendations are greatly appriciated.

Does DS 7.5 meet all of your needs compared to what you were using 6.9 for?  If not, I would carry on using it as you can still use the other 7.5 products at the same time. 

DS 7.5 does have a number of built-in tokens, and it does also let you create your own custome tokens too if I remember correctly.

ITMS 7.5 I say exceeds our needs compared to DS6.9 and keeping both live is not a solution for any enterprise in my mind.

Hi frickea86,

To answer your initial question on admin rights, Altiris isn't the tool for this job as this is normally achieved through group policies. It isn't usual to assign accounts and rights at the local machine level; typically the directory service is used for this. Have a chat to your domain administrator(s) and see what your options are.

Some organisations use a privilege management product that ties into their AD to allow standard users to perform specific admin-type tasks as required (usually through an audited and managed way). Avecto and Arellia are a couple of vendors who have solutions in this space. These products are useful as they can help remove administrator rights (thus lowering your exposure to vulnerabilities) whilst at the same minimising the business impact of the rights changes.

On your other side-point with respect to ITMS. Symantec continue to advise customers, where appropriate, to use both products to manage their clients (customers licensed for DS7.x are also licensed for DS6.9). Each product has it's strengths and weaknesses and in many environments they can compliment each other wonderfully.

Hope this helps,
Ian./

btw if  your users are *really* assigned accounts at the local machine level (i.e. you have a workgroup config rather than a domain) then ping back and we can work through a script that does the job for you.

Thanks Ian for the info, guess I should probably give more background on why I am asking.  Also, I didn't know there was such privelege management systems out there, may recommend looking into this as we do have a lot of IT and other users constantly requesting local machine admin access.

So our environment is controlled by a domain, both users and computers but at times we have to manaully add users to the local administrators group so they can use software that requires elevated privlages, not what we want in our mind as we have about 50k machines globally.  The majority are just users of their machines and nothing more but we do have extenuating circumstances.

At times with old DS6.9 we would just reference the local database to figure out who the current logged on user was and add them to the administrators group very similar to my example script I posted above.  It worked well but we want to migrate it over to ITMS as we will be turning down 6.9 eventually as it is a nightmare to manage in our enviornment, hence why we chose to move to ITMS as it can manage large environments with a single console very efficiently.

Coming from an enviornment that has multiple solutions for the same areas of the company and having a very fragmented IT environment, to properly centerilize IT I can't see having mulitple deployment solutions.  So that is why my opinion is very direct and sparse as I do understand some environments require both and if they do I would be asking the question, is their a better product for us then.

Thanks for the help, its greatly appriceiated.

OK. I understand a bit more now. I would *personally* be wary of removing administrator rights from every user that is logged in with a script like,

net localgroup administrators %#express!computer@logged_on_user% /delete

But, if thats what would work in your environment, then you can configure a policy in ITMS to run daily, (say at midday) in the context of the logged in user which would remove themselves from the local administrators group?

The script to run would be something like this,

net localgroup administrators %USERNAME% /delete

Whilst that's the answer technically, I would still make sure you understand what it is that your users are doing with their admin rights. You could well greatly impact your business (even if it's just everyone opening up tickets and asking "WHERE'S MY ADMIN RIGHTS?!?!").

Good luck!

Kind Regards,
Ian./

Hi frickea86, do you need anymore help here?

Thanks gusy for the info and I believe my question was answered, I will mark it sovled, thank you!