Anyone who works as a System Administrator on Windows Server platforms is well aware of the importance of user permissions: in most cases it is advisable to provide their users with the minimum set of permits necessary to carry out their activities, in order to protect the entire network infrastructure from cyber threats (Virus, Ransomware, Data Breach attempts and the like).
Despite this, in some cases it may be necessary to temporarily grant to the Domain Users the required permission to install software, perform some system configuration changes and / or other activities normally precluded to normal users on a given physical or virtual machine entrusted to him. To make these activities possible, we can proceed in various ways, but these are not all equally recommended: the reason why I decided to write this article is due to the fact that, as a result of many discussions I had with other fellow administrators, I have seen a series of bad practices which I personally wouldn’t recommend, from which it would be wise to take the necessary distance.
Let’s see together what are the modalities at our disposal to increase the privileges of the domain user on the local machine:
- Increase the Domain User permissions on the entire Domain by adding the user in question in the Domain Power Users or Domain Administrators group: this is obviously a poor choice in terms of security, as it extends the user permissions without a valid reason.
- Increase the permissions of the entire Domain User Group on the local PC by including the entire DOMAINNAME/Domain Users group in the local machine’s Administrators group. Such method is also hardly advisable, as it grants local administrative privileges to all the Domain Users in an indiscriminate way.
- Increase the permissions of the Domain User on the local PC by adding the user in question in the local machine’s Power Users or Administrators group. This is by far the preferred method, limited to the cases when it is absolutely necessary to do so, as it only gives the minimum amount of permissions required to reach the goal.
The best way to perform this type of activity is by using the Users and Groups snap-in, which can be reached from the Windows Control Panel in the following way:
Control Panel > Administrative Tools > Computer Management > Users and Groups
The Users and Groups snap-in allows you to create new local users, change the settings (name, password, etc.) of existing users and add (or remove) the relationships between users and / or local and / or domain groups.