Limited Local Administrator Rights - PC

Limited Local Administrator Rights on University-owned PCs

By default, all users will only have User status on their University-owned Windows PCs. IT recognizes there are some faculty and staff who need to perform tasks requiring elevated permissions. To accommodate these individuals and provide this functionality, IT will create an additional username.admin account for these individuals on a case-by-case basis with membership in the Local Administrator group on selected PCs.

Users who are granted the username.admin account with elevated privileges must recognize these accounts are only to be used to provide credentials for tasks requiring such elevated privileges (such as certain types of software installations and device configuration changes), and are not to be used for normal tasks like internet browsing or file/print operations. The passwords of these accounts will not be linked to the AMS or any other password management services. These accounts' passwords will expire after 185 days and should be managed through the native Windows password change functionality.

Determining which users will be assigned username.admin accounts with elevated privileges will be a joint function between IT staff and the department's director, chair, or other employee delegated to serve in that role, and must be based on a demonstrated business need.

Users who are not assigned accounts with elevated privileges and need software installed or other changes on their PC requiring administrator access will need to:

  1. Create an ITicket and have an IT member perform the task; or
  2. Have a member of their department with a privileged username.admin account perform the task.

The Office of Information Technology will regularly review (at least annually) the use of these local administrator accounts as well as the need for them and reserves the right to remove local administrator accounts if deemed appropriate.

For Travel 

We also recognize that there may be a business need for some individuals to possess temporary Local Administrator Rights to a laptop while away from campus; for instance, to install wireless networking access software at an off-site location. In this case, a temporary username.admin account will be created with an expiration date. The individual will need to login to the laptop on campus while connected to the domain to create a cached local account on the PC for the temporary username.admin account. This account will be active with Local Administrator Rights on the laptop until the computer reconnects to the campus domain after the account's expiration date. The temporary account should be requested via an ITicket through the Help Desk well in advance of the date it is needed to allow IT staff time to complete the request.

Procedure Details

Details of the local admin lifecycle process are located in this document: Local Administrator Account Procedure

FAQ

For a list of frequently asked questions about the effects of this policy, please visit this page: FAQ - Local Admin Rights Policy

Version Date Comment
Current Version (v. 9) Nov 01, 2024 16:36 Dave Sierkowski
v. 8 Nov 01, 2024 16:36 Dave Sierkowski
v. 7 Oct 23, 2024 15:50 Jon Sanders
v. 6 Oct 21, 2024 11:37 Dave Sierkowski
v. 5 Nov 30, 2017 09:47 Former user
v. 4 Sept 14, 2017 14:45 Former user
v. 3 Sept 12, 2017 09:12 Former user
v. 2 Sept 12, 2017 09:12 Former user
v. 1 Sept 01, 2017 14:16 Dave Sierkowski