Derek Melber, MCSE MVP, is an independent consultant, speaker, author and trainer. Derek’s latest book, The Group Policy Resource Kit by Microsoft Press, is his latest best-selling book covering all of the new Group Policy features and settings in Windows Server 2008 and Windows 7. Derek educates and evangelizes Microsoft technology, focusing on Active Directory, Group Policy, security, and desktop management. Derek also provides sales consulting, to help sales and marketing sell technology. Derek speaks and trains all over the world. You can contact him at derekm@braincore. net.

Obtaining Least Privilege for Desktops

Like most corporate computer networks, there are a wide range of environments in which users work. Our story deals primarily with the desktop environment. While this particular example focuses on end-users, similar stories exist for other user groups like IT staff, developers, mobile users, and other unique workers in the corporation.

As the standard end-user makes up more than 75% of all users in the organization, we’ve decided to start our story here. This story focuses on one employee, Goldie Locks, and the three desktops that she discovers -and tries to work with.

Goldie Locks and The Three Least Privileged Desktops


Goldie is a new, upbeat employee who is familiar with Windows desktops. Her experience is based on having used computers in college and her current hobbies at home. From this exposure, she knows how to use her computer rather well.

Goldie Locks is most familiar with Windows XP Professional, having only dabbled with Vista once. She has two degrees: marketing and multimedia communications. Goldie has a general understanding of program development from a Visual Basic course she usually skipped in college, but one would never consider her proficient. Goldie also understands enough about networking to have created a wireless WEP network, which uses the built-in security of the router connected to her cable modem. She regularly attends IT seminars and tries to absorb as much information as possible from the few technology magazines that she subscribes to via her iPad.

Last month, Goldie was hired by a medium-sized Information Technology company. She is responsible for much of the company’s external marketing efforts. She oversees both print and Internet marketing, as well as the monthly webinars that the company provides to promote their products. Goldie requires slightly more than a standard desktop, due to the applications required to perform all of her job duties.

Goldie’s Work Responsibilities

Goldie spends a significant amount of time on the Internet in order to develop, test, verify, and research the products and messaging she produces. On any given day, Goldie may need to:


  • Install a printer
  • Install a new application
  • Run an application designed for developers, so she can update the website or preview a layout
  • Perform research online, maybe even downloading an Internet Explorer addon
  • Run web-based applications for the webinars, which typically require an ActiveX plug-in
  • Install an ActiveX plug-in to access a site that might have a video, application or widget she needs