Re: Administrator Priviledges on local system.

From: Chris Jackson (chrisjATmvpsDOTorgNOSPAM)
Date: 01/06/04 

Date: Tue, 6 Jan 2004 11:57:30 -0500

So don't give them the password for the admin account. Developing in VS.NET,
I almost never need an admin account. If I have to hit the way-back machine
to some old VS6 stuff, however, I sometimes need to get an admin login in
order to get some components registered or something similar. However, if I
didn't have an admin login, I would just call up somebody who did when I had
to do that.

Because there is such a preponderance of old software out there, you will
have to weigh the costs. Some older stuff requires admin intervention rather
often. If your guys are developing kernel mode code, it's going to be rough
if they can't get on as an admin. If your guys are developing web sites,
then they should almost never need to run as an admin. So, you have to
determine (based on what your guys are doing) which is cheaper: having guys
running to their desks to enter credentials, and then sit there and wait
until all apps with this user token have been killed; or the cost of your
developers doing stupid things that you then have to go in and fix. The call
will depend on what exactly your folks are developing. What I would do is
give it a try without giving out the password, and then dole out the
passwords based on seniority and trust if it becomes inconvenient. Maybe
have the dev leads own the passwords, so you can keep it out of your
department, and hold them accountable for whatever happens with their
credentials. 

-- 
Chris Jackson
Software Engineer
Microsoft MVP - Windows Client
Windows XP Associate Expert
-- 
More people read the newsgroups than read my email.
Reply to the newsgroup for a faster response.
(Control-G using Outlook Express)
-- 
"Stephen O'Sullivan" <steve@nospam_noway_dontyoudare.net> wrote in message 
news:uDjYd0F1DHA.3656@TK2MSFTNGP11.phx.gbl...
> Chris,
>
> Does that not defy the whole purpose of controlling the administrative
> rights? If a user has an account that is an administrator on a local 
> system,
> won't they be tempted to use it personal customisation of the system and
> environment they develop on? I know what your saying and i've had many the
> argument with the software engineers here. And as you've just pointed out,
> run everything from a command shell that has been runas a sys admin.
>
> From the Active Directory admin perspective, that allows users to control
> what settings they use. My main concern would be network card settings,
> where default gateways can be changed, metrics, dns, etc, and the
> installation of unlicensed software. It does not reduce the 
> Network/Desktop
> admins total cost of ownership of the system.
>
> Regards,
> Steve.
>
> "Chris Jackson" <chrisjATmvpsDOTorgNOSPAM> wrote in message
> news:eHFw$p60DHA.4060@TK2MSFTNGP11.phx.gbl...
>> Developers who write code with an admin user token very often create
>> software that requires an admin user token to run, and the cycle
> continues.
>> As soon as we developers stop running as admins and see what it's really
>> like from a user perspective, then we can start hoping for change. I
> haven't
>> run as an admin on my local system for nearly a year now, and it hasn't
>> hindered my development a bit. What I do is keep an admin account, so I
> can
>> use runas if I need to do something that requires privileges, but I would
>> never run as admin for my day to day account.
>>
>> --
>> Chris Jackson
>> Software Engineer
>> Microsoft MVP - Windows Client
>> Windows XP Associate Expert
>> --
>> More people read the newsgroups than read my email.
>> Reply to the newsgroup for a faster response.
>> (Control-G using Outlook Express)
>> --
>>
>> "Stephen O'Sullivan" <steve@nospam_noway_dontyoudare.net> wrote in 
>> message
>> news:eZE$Hq20DHA.404@tk2msftngp13.phx.gbl...
>> > G/day forum,
>> >
>> > Can you tell me what the best way is of setting a bunch of power hungry
>> > developers on a system? They want admin rights, i don't them to have
> these
>> > rights because that brings its own set of problems.
>> >
>> > Bear in mind, these guys are Developers and need typical dev rights on
>> > their
>> > systems.
>> >
>> > Your thoughts.....
>> > Regards,
>> > Steve.
>> >
>> >
>>
>>
>
>

Relevant Pages

  • Re: IIS rights without being administrator
    ... person or group administrative rights on that object. ... > provide some of web/apps developers I work with the ability to ... > MMC with the IIS Admin snap-in, but, when they expand it to, they are ...
    (microsoft.public.windows.server.general)
  • Re: Error message trying to download
    ... This posting is provided "AS IS" with no warranties, and confers no rights. ... I can not apply any updates on any machine in the domain. ... I also tried to log on as the local admin account - still ... I then logged on locally with a local admin account. ...
    (microsoft.public.windowsmedia)
  • Re: Help! Registry rights!!!
    ... Install the software from the admin account, ... registry and gave full rights on the HKCR and HKLM hives to the Users ...
    (microsoft.public.windowsxp.help_and_support)
  • Re: Help! Registry rights!!!
    ... Install the software from the admin account, ... registry and gave full rights on the HKCR and HKLM hives to the Users ...
    (microsoft.public.windowsxp.help_and_support)
  • Re: Administrator Priviledges on local system.
    ... run everything from a command shell that has been runas a sys admin. ... > As soon as we developers stop running as admins and see what it's really ... What I do is keep an admin account, ... They want admin rights, ...
    (microsoft.public.security)