The SysAdmin Network

No more hiding in the server room

Dan Taylor

Administrative Rights

Hey folks,

I was wondering how many of you run with your users having full administrative privileges to their desktops? 

We have recently made the switch to locking down our desktops and we have understandably hit some resistance. Many people see their machine as their own (They don't realise it belongs to the company), and as such they have historically installed whatever they wanted to the machines.

Whichever side of the fence you're on could you try and explain why you do or don't give your users administrative rights?

Our reasons for removing them were to allow us to manage the software installed on our systems (For license compliance reasons) and to attempt to address the number of PC issues which were related to people fiddling with their PC's settings (Hint, there were lots of those).

Dan

Edit: Modified the title as it no longer made sense once the post was written.

Tags: Admin, Privilages

Views: 581

Reply to This

Replies to This Discussion

Jason ShortPermalink Reply by Jason Short on May 13, 2010 at 7:28am
I'm jealous that you're getting to eliminate it - must be fun! It's the same with us. It's always the line of business applications that are the real trouble. Because at the end of the day, we do have to help people get real work done. :) While keeping our company out of the news.

There's been a scary amount of spear fishing targeting small businesses in the last 3-4 months. I'm kind of a "glass-half-empty" type, but I suspect it'll only get worse.
TomkatPermalink Reply by Tomkat on May 19, 2010 at 2:18pm
I dont give my users admin rights. Mainly because in the past I have found so many rogue programs and spyware because they can install whatever they want with admin rights
Geoff GardinerPermalink Reply by Geoff Gardiner on May 19, 2010 at 2:36pm
> Reply by Jason Short on May 12, 2010 at 12:48am
...
> That's one of the up-sides of working at a financial institution, ...

This is surely key. Some places need lockdown, others are better without, having less to lose, more to gain etc (and the sysadmin has to pick up the pieces).

Geoff
Robert ChipperfieldPermalink Reply by Robert Chipperfield on May 19, 2010 at 2:40pm
I guess it depends a lot on what users are doing, and what they need - I doubt there's a one-size-fits-all solution. For example, quite a lot of software development really does require admin rights - you can't install and debug Windows Services without, for instance. But someone who only uses Office and a few other "desktop" applications? Probably not.

At least Windows 7's implementation of UAC is rather more sane, which means on my desktop, the vast majority of processes aren't running with admin rights, even though my user is capable of elevation. Especially true of web browsers and the like.

One approach for those users who do know what they're doing, and do need admin rights: if you install this random non-standard software, you get to fix it when it breaks. I have all sorts installed on my machine (I can't see Ethereal being rolled out as a company-wide deployment, but it's essential for what I do), but I fully accept that if something goes wrong, it's my problem to sort it out.
Thomas StensitzkiPermalink Reply by Thomas Stensitzki on June 1, 2010 at 8:21am
I think that this is the only way to go. Otherwise you have no chance to reduce the number of support tickets for your helpdesk.

Cheers,
Thomas
Dan TaylorPermalink Reply by Dan Taylor on June 9, 2010 at 11:36am
Thank you to all those who have replied to this thread, its certainly given me some alternate opinions to show my director next time the question comes up about locking machines down.
Bob MartensPermalink Reply by Bob Martens on June 9, 2010 at 3:05pm
Truthfully, we give all faculty and staff members admin rights to their machines and tell them to be careful. Along with that is the warning that if anything sufficiently annoying happens, we'll be completely re-imaging their hard drive and whatever they had on the machine will be going away. It is sufficiently scary to get the vast majority of people to house any important info on the file server and to keep their software and configuration needs to a minimum.

That's been the policy for the past three years.
GraycatPermalink Reply by Graycat on June 13, 2010 at 5:29pm
Whilst I don't agree with granting local admin rights (and certainly not group or domain admin rights!) I do let every "elevated user" know that anything goes wrong and takes longer than 30 mins to fix, we're just going to reimage it and be done.

You'd be surprised by how affective that threat is even to your run of the mill end user. :o)

RSS

© 2012   Created by Elizabeth Ayer and Michael Francis.   Powered by .

Badges  |  Report an Issue  |  Terms of Service

Sign in to chat!