Q: My company is trying to discourage the use of local accounts. In your opinion, what's the best way to deal with laptop users? Many of our users work remotely most of the time, and they invariably request a local account with higher privileges than are typical (administrative privileges, in some cases) to install printers and programs, despite already having a domain account. We usually judge each case individually, but I would like to create some sort of global policy for these situations. What are your thoughts?
A: In my opinion, users are overrated—especially demanding ones—so get rid of them! Just kidding. Mobile and remote users often require more authority on their workstations than typical users because they need to access printers at home or at a customer's office and because they often want to be able to solve problems in the field without having to depend on technical support.
Keeping that in mind, I think the decision to give mobile users more authority on their laptops depends on the level of support available to them in the field compared with the support experienced by onsite users. With the ubiquity of high-speed Internet access, VPN access, and remote support tools such as Remote Assistance in Windows, many organizations should be able to provide the same level of support for remote and mobile users as they can for users on the LAN—especially organizations that have 24-hour Help desks for their mobile users who might be traveling to different time zones and working after hours. If that’s the case, I think you can justify keeping remote and mobile laptops locked down similarly to internal desktops.
This problem is close to being solved with Windows Vista, which introduces more granularity and control over administrative functions, making it easier to give users the appropriate authority to handle routine tasks, such as installing printer drivers, without giving users full administrative authority. In the meantime, try making mobile users members of their computer's Power Users group instead of administrators. A Power Users membership is often sufficient for users who need more authority. (This is only a temporary solution, though, because Power Users will go away in Vista.)