I know what your thinking... Is this guy for real? Everyone being an administrator would be insane!!! Regardless, the question has come up in my department. We support 2000+ users in an academic environment. I try to explain the importance of limiting access to limit liability and decrease the amount of service calls related to viruses and user error. Sadly that isn't enough. I am reaching out to the TechNet community to develop an extensive list of Pros and Cons on "Why can't everyone be an Administrator?" What would the advantages be if every user was an Administrator? What are the disadvantages? Feel free to chime in with your horror stories!

First of all, Microsoft recommand to give the minimum of privileges for users and I don't think that all your users need the administrator privileges so it is not recommanded to give everyone an administrator account. Second, if users are using administrator accounts, many viruses can use the administrator accounts privileges to infect the computer. So, even administrators should use a secondary account with the minimum of privileges to avoid that (The administrator account should only be used when it is really needed). When administrative privileges are needed, it is recommanded to use a secondary session. Third, if all your users are administrators, each one of them can do what he want with the configuration of your environement and can grant to himself access to resources that he is supposed not allowed to access them. This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

To add, with giving administrator accounts to all of your users, attacks probability on your environment will increase. Let's suppose you've got 2000 administrators and a hacker discovered the password of one of them. In this case, you may face severe problems. Let's suppose now that you've got only 2 administrators (It is just an example). You reduce thousand times (2000/2=1000) the possiblilty of attacks. So, as you see it is more secure to have few administrators. Also, your users, if they have administrator accounts, may launch attacks on your environment (This is what we call an internal attack). So, you should only give administrative accounts to users that you trust on them. This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

Excellent insight! To give a bit more background on my environment... We have about half of them on Active Directory. Each user is administrator on their local machine. The other half of the user base are using local account that are also Administrator. Every system has the same local admin password. Some of which have a slight variation. Group policy is being used to deploy security and WSUS settings. Keep the comments coming!!

Excellent insight! Each user is administrator on their local machine. The other half of the user base are using local account that are also Administrator. First of all, I recommand to let all the computers member of the domain. Once done, I recommand to you to give your users accounts with the minimum of privileges so that you will reduce attacks on the domain and reduce the viruses impact on your computers. Second, if you don't want to integrate all of your client computers in the domain, I recommand to you to give to users local accounts with the minimum of administrative privileges so that you limit their ability to change local config and reduce the impact of viruses. Even with those who have administrator accounts (I suppose they need administrative privileges), I recommand that you give them another accounts with limited administrative privileges so that they work with it and if they need administrative privileges they will have to use a secondary session (This also will reduce attacks and the impact of viruses). This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

Every system has the same local admin password. As you said, every system has the same local admin password. Let's suppose a hacker found the password for a local admin account on one of your computers, this hacker will be able to open session on all the computers and to damage them. Also if each one user can use these administrator accounts, you may face internal attacks. So, as I told you, you can integrate all you client computers in the domain and give your users accounts with minimum of priivieleges. You can also enable the guest account on your client computers if you don't want to integrate your client computers in the domain. Please mark as helpful all the replies that helped you. This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

To add: Other than the recommandations I gave you, I recommand to you to have a look at the Microsoft Passwords Best Practises: http://technet.microsoft.com/en-us/library/cc784090%28WS.10%29.aspx The article is so interesting to ensure a secure environment. This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

Does anyone know if here are any in-depth case studies on secure desktop environments associated with the decrease of malware infection, and/or attacks?

Do you know Microsoft Security Templates? http://www.windowsecurity.com/articles/Understanding-Windows-Security-Templates.html I recommand to you to have a look at them. There is predifined ones by Microsoft. So, you can search on the internet to know the caracteristics of each predifined one. This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

Also to secure your environment against attacks, it is recommanded to rename the "Administrator" and the "Guest" account. Don't forget the option "Run as an administrator" that is used for secondary logon sessions. You can also use SYSKEY to protect your SAM database: http://support.microsoft.com/kb/310105 This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

I just forget to say that protection level againt malware infection depends of your browser. It is for that I recommand to you to use Microsoft Internet Explorer 8 which is the most secure one. For more information, have a look to this Microsoft article named "Security in Internet Explorer 8" http://www.microsoft.com/security/products/ie8.aspx This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

To add: If you want to protect your documents againt attacks you can use EFS (Encrypting File System). This is a Microsoft article about the Best practices for the Encrypting File System: http://support.microsoft.com/kb/223316 This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

Group policy is being used to deploy security and WSUS settings. With all your users having administrative rights, how are you verifying that they are not removing your security and WSUS configurations? As it stands you have created the ability for knowledgeable users to optout of your policies (even if it only lasts through an audit rotation or a reboot). In our academic environemnt about 80% of all Windows PCs are in our AD environment, and all users operate as standard users. In addition to using AD for policy settings, we deploy software. In order to keep a known base line and our deployed software operating correctly and cleanly we cannot have admin users outside of IT staff....they're prone to runing software updates, etc that monkey with software deployments.

edusysadmin, What about your faculty? Are they standard users as well? How does that cope with "Academic Freedom" for faculty? What have your experiences been? Are there any gotchas? Is anyone else in an academic environment? What do you do?

My academic department heads know that we do everything we can as quickly as we can to address any support needs, and while we don't give way admin rights we also don't restrict what tools users can have installed. Academic Freedom is meaningless if their computer are comprimised and they're unable to work. We keep their machines running, so they can focus on their courses and resarch. With Windows 7's better offline capabilities we are going to be pressing this issue more within our environement as we move from Faculty with a domain desktop and off domain notebook (which is all too often used for personal use and 20% work) to either a domain desktop or domain notebook. To date we have 2 complainers out of 100 Faculty I support directly so our administration is behind us. And these complainers....they're just using the same old baseless FUD problems which we're easily able to debunk.