Re: Granting all users Admin Rights

From: x y (jamescagney90210@excite.com)
Date: 05/17/02


From: "x y" <jamescagney90210@excite.com>
Date: Fri, 17 May 2002 08:08:58 -0400


"Robert A Klopotoski Jr" <eaglek96@hotmail.com> wrote in message
news:1989821b.0205161238.6b5993ef@posting.google.com...
> I see several problems with granting a regular user admin rights. The
> main reason is that system files become accessible and could be
> corrupted very easily by accidental clicks, viruses, etc... I also

This is theoretically true, but in practice I believe most of the viruses
and worms out there in the wild spread no matter what permissions you have.
An antivirus program to me is a better way to combat viruses than
permissions. System files are going to be vulnerable to accidental deletion
no matter what, even if users are not administrators.

> want to be able to control the licensing of software, and want to keep
> the shareware to a minimum. Not having admin rights greatly reduces
> their ability of screwing things up on the machine. It also increases
> the security of each machine by knowing that many services can't be
> inadvertantly disabled or uninstalled.

I think you are correct that not being a local admin would help with these
things, but it comes at a price. It could put more workload onto the MIS
staff when requests for software installs come through, or problems caused
by not having admin rights. For example, Microsoft bug patches come out
almost weekly, and these cannot be installed by a non-administrator. You
would need to buy third party software or figure out some other roundabout
way to install the patches. We also have a login script that runs at every
login [to make sure the setting is always there] in order to delete or
modify certain registry values that we feel are dangerous or allow viruses
to spread. This batch file won't work under the normal user's security
context.

Also, the first time a user logs into any computer and opens Microsoft Word,
Outlook, etc, a mini-install program runs that in my experience fails if the
user is not a local admin [power user might work too, I'm not sure]. This
means that if someone wants to hop onto another machine or regularly roams
from machine to machine, like in a student computer lab, Office won't work
for them. The same thing is true if their windows profile gets corrupt for
some reason and Windows decides to create a new one for them, suddenly the
help desk gets a call that Office isn't working.

The other problem is that the staff will resent you for restricting their
computer use. Sure, the computers are school property and you have the
right to lock them down, but they'll still resent losing that power.

I guess some people out there have worked through these problems in some
way, because I know some people have set up their users as non-admins. I
just found it pretty time consuming.

This is not to say that you are wrong... this is just to play devil's
advocate and show that there are some valid arguments on the other side.