Unfortunately on Windows, the default user account privilege has been and remains Administrator. This has two frustrating implications for MSPs:
- Users expect to be able to do anything on their system.
- Developers assume software is going to be run as admin so they don’t pay attention to what privileges it actually needs.
So if you start slimming down privileges to Standard, users are going to complain, usually that they can’t install software, and software is going to malfunction, usually when it tries to update. Sometimes you can tweak policies to make users happy and sometimes you can give users enough access to allow software to update, but not always. You can—trust me—sit there fastidiously editing policies and privileges, only to have the client call and say, “Can’t you just make me administrator?” in which case your power of persuasion and virtue of patience will be put to the test.
Unfortunately though, users occasionally need to be given administrative privileges, in which case the only thing you can do is set up extra notifications for certain changes and be prepared to roll them back, if needed.