Re: Granting all users Admin Rights

From: Joe Richards [MVP] (humorexpress@hotmail.com)
Date: 05/18/02 

From: "Joe Richards [MVP]" <humorexpress@hotmail.com>
Date: Sat, 18 May 2002 16:50:34 -0400

Some thoughts.

1. If the people who make the decisions don't agree with you and say do it,
you are pretty much stuck with it unless you are willing to jeopardize the
position or they are actually just trying to figure out why you have the
position you have. If they feel you aren't willing to follow their direction
and they have a firm direction, don't be surprised if they find someone who
will.

2. Who has to reload the systems when they get screwed up? If the faculty
reloads their own machines, let them have at it. If not, do you have
information on how often you have to reload machines due to the issues you
are presenting to us and if so have you presented that and the cost analysis
to the decision makers?

3. I have never been overly worried about upsetting users of systems I am
responsible for and their concept of what they should be able to do.
However, I do also try not to unduly handicap them from doing their normal
job. With some sites you can lock them down completely because only certain
things should be there, in others this isn't feasible. Possibly some of the
faculty should be locked down and some shouldn't. Possibly you could set up
a pilot and have some as admins and some as normal or power users and really
track what the department has to do for support work. If the numbers really
start weighing heavily towards it being costlier to maintain the machines
for the people with full admin rights (which it will do if they are doing
things that they shouldn't be doing and the regular user folks don't really
need a lot of things done by admins for them) you will probably find that
you will win over the management that is deciding against the lockdown. Most
folks are more worried about cost than security or network safety which may
not make sense but is something to accept.

4. If you have SLA's that you can adjust, adjust them based on the level of
access the people in question have. The more access they have the slower
your group can respond to them or the less they have to fix or the longer th
ey have to fix it. The folks who don't really need high level access should
normally be willing to back down if they realize a mistake on their part
will not necessarily be fixed or if it is worked on soon or resolved
quickly.

Overall I can see how a university environment would be difficult to deal
with. You have some core software that may be consistent across the board
but then each area of study which may comprise of 1 or 2 instructors could
possibly have completely different requirements for software. The
educational software that is generally on the edge is the freeware,
shareware type of items. Unless you have a pretty serious staff who can work
with the folks to add/remove the software that they may rightfully be trying
to load, you could overtax a small staff on things that don't in the end
matter.

I think I would try to find the real reasons behind why the management is
thinking the way they are and try to verify if it really does make sense to
lock the people down you want to lock down. If the management isn't going to
budge or the people really need that access work hard to be able to support
that environment by having quick rebuild procedures for the PC's and keep
the AV software on servers very current and the firewall secure. When a
issue occurs to one of these machines, versus troubleshooting I would wipe
the PC and reload it back to the standard. 

--
Joe Richards
www.joeware.net
---
"Robert A Klopotoski Jr" <eaglek96@hotmail.com> wrote in message
news:1989821b.0205161238.6b5993ef@posting.google.com...
> Hello All,
>
> I am currently the network manager at a small college with about 250
> faculty and staff compuers(1500 students).  I am in the middle of
> implementing a windows 2000 domain.  The network is currently peer to
> peer workgroups with win95, 98 and 2000 clients.  In the process of
> building the domain, I am also trying to get every client onto windows
> 2000 so I can take advantage of the many features it allows in
> conjunction with active directory.  The most important thing to me
> since I am starting from scratch is setting up rules and guidelines
> for the users of the network.  My background before working here was
> working at a high-tech engineering company.
>
> Recently I have hit a snag with the management here where we cannot
> agree on whether or not users should be allowed local administrative
> rights on their machines.  In my last company I was forced to give
> admin rights to most users so they could develop and install hardware
> on their local machine.  I don't really see the need for the rights
> here, but the people making the executive decisions disagree with me.
> I am curious to know how other colleges or academic institutions deal
> with this issue.  It is my opinion that people should not need admin
> rights as a function of their job and any software installations
> should be routed through IT.  The people making the decisions feel
> that restricting rights would infringe upon adademic freedom.
>
> I see several problems with granting a regular user admin rights.  The
> main reason is that system files become accessible and could be
> corrupted very easily by accidental clicks, viruses, etc...  I also
> want to be able to control the licensing of software, and want to keep
> the shareware to a minimum.  Not having admin rights greatly reduces
> their ability of screwing things up on the machine.  It also increases
> the security of each machine by knowing that many services can't be
> inadvertantly disabled or uninstalled.
>
> The users that I am referring to are all Faculty and Staff.  Each
> person has a machine in their office to use.  We are not an
> engineering school or anything like that, and only have a few teachers
> who teach computer related fields.
>
> If some people could give their feelings on this it would be greatly
> appreciated.  I apologize if some of you feel this isnt the right
> newsgroup, but to me this seems like a security issue.  Mainly my
> question is asking how other groups handle this?  Should we give in
> and grant rights to everyone, or is it important to stand firm on my
> own opinion.
>
> Thanks in advance
> Rob

Relevant Pages

  • Re: Granting all users Admin Rights
    ... Giving users in an environment that big Admin rights is asking for trouble. ... Even worse any closet hacker wanabee would install Lophtcrack and pull up ... > I am a Network Admin for Cuesta College and we are dealing with the same ...
    (microsoft.public.win2000.security)
  • Re: running apps as power user. Permission problems.
    ... >runs the app as a power user logged onto their network. ... Then reduced their rights to power ... developers run their own machines as supervisor. ... programmers seem to do a basic installation, ghost it, and just scrub ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Time
    ... Users with local admin rights you can not stop or block that easy. ... I have applied this policy now throughout, and the only users with the ...
    (microsoft.public.windows.group_policy)
  • Re: Is it possible to make changes to a group policy through script
    ... network must have special rights (the rights are given through group ... I need to set the group policy setting "Always wait for the network at ... computer startup and logon" on all Windows XP machines in the network, ... Apply the setting to the client machines using a GPO if those machines ...
    (microsoft.public.windows.group_policy)
  • Re: Skype on client PCs
    ... I have good antivirus software, ... and users don't generally have admin rights, ... AVG is next to worthless in any environment. ... IM is a large threat to unsecured machines where people can't grasp the ...
    (microsoft.public.windows.server.sbs)