[70-744] Implement User Rights Assignments - Users with administrative privileges on users workstations/laptops

---

Hello,
I'm checking the 70-744 videos and they are great, I'm learning a lot! I have a real world and also best practice question regarding administrative privileges on users workstations.

For example an IT Helpdesk user needs Admin privileges sometimes to install a specific software or make a specific change. I know that we shouldn't use Domain Admin accounts. With these part of the videos I checked a User Right that doesn't cache passwords.

So, and without using LAPS (it might be the best option in reality, I didn't catch up those videos yet [I'm going though the order of the official book of MS]) should I have a account with delegated privilege for administrative tasks and don't cache the password?

JIT and JEA is the way to go, but on a real world, going step by step, is this a first good approach? Also, there is an option to clear the already cached admin passwords on the workstations?

Thank you in advance for the help!
Regards,
Fábio

@fabio-teles , My apologies for not answering you sooner, your post slipped by me, and I did not realize that it was in the forum until just now as I was checking in to see if there were any unanswered posts... and sure enough... there you were.

So, you are correct about everything that you have asked and "answered" in your initial post. As you point out, in the real world, based on the requirements of the organization and policies, you would most likely be pursuing this via JIT and JEA.

What I always talk about with my customers and students is the need to figure out the "one size fits one" approach that feels right for you based on the needs and business issues you are being asked to address.

If you have any other questions as you are moving the remainder of the show, and/or in the real world as you look to apply the skills you are learning, my direct e-mail is: adam@itpro.tv

Be in touch as needed.

Good Luck !!!

Cheers,

Adam