User Rights Management is an area of Windows environment management that has grown explosively in the last few years, as enterprises have realized that giving users local administrator privileges leads to many security and help desk issues. Before the appearance of User Rights Management solutions, taking local administrator privileges away from a user created *more* help desk tickets because it interfered with web applications (those that embed ActiveX controls) and prevented updates to essential applications like the Java runtime, or Adobe Reader. In addition, some power users actually need to install applications themselves, but the Windows environment is all-or-nothing in terms of granting admin rights, and does not provide a centralized audit trail of when they were used. With User Rights Management products it is possible to selectively allow privileged operations, keeping the user productive and the desktop environment more secure.
There are two primary benefits from a successful User Rights Management deployment: tighter security and improved user productivity. User Rights Management gives you fine-grained control over the level of user freedom versus IT control, a balance which will be different for every organization. In highly secure desktop environments, exceptions to the “no admin rights” policy might only be made for a few very specific applications or activities. Good User Rights Management solutions allow you to give different levels of freedom to different groups of users, or even run “audit only” mode for some groups of power users who are entitled to higher privileges. When implemented correctly as part of a desktop environment management solution, User Rights Management can dramatically reduce the number of calls into the IT help desk from users who unintentionally break their Windows desktops by installing or uninstalling applications, or changing system settings.
Some have suggested User Rights Management is an alternative to Anti-Virus solutions, because if the user cannot install unauthorized applications they can’t get infected. It is true that it can significantly reduce the exposure to user-installed malware, but there are other ways that it can get into the system through other types of human interaction, or even without any user activity, and so maintaining a regular scan on all devices and desktops is still required. Nonetheless, adding User Rights Management to your desktop management arsenal is definitely a good step towards building strength-in-depth in security defenses.