Microsoft

TechRepublic members share their strategies for dealing with maverick end users

How do you keep your end users from trashing their machines? Here are some of the techniques your fellow TechRepublic members use.


In “Reining in maverick end users,” I asked for your opinions on the best way to protect the company's computers from end users who install unsupported software and hardware. I received a lot of e-mail from TechRepublic members who believe they’ve tamed the majority of their maverick end users. Here are some of the highlights.

The technical solution and the punitive one
Technical manager MattShuff offered this opinion: “There are two solutions—the technical one and the punitive one:
  • Technical: Unleash the power of policy editing and user access if possible. Take away users’ ability to do anything that they shouldn't do. IT departments don't typically spend enough time planning for a new user, analyzing the needs of current users, and documenting systems. There are all sorts of stuff out there to keep users from doing just about anything. Unfortunately, if we didn't have to fix copier jams, screen saver crashes, and cleaning up after viruses, maybe we'd have time to implement such solutions.
  • Punitive: Policies without consequences don't work. It's hard to treat professionals like children and even harder to take action on people who make the company a lot of money. What do you do to a manager or a top salesperson who keeps opening up mysterious attachments, downloading garbage off the Internet, and installing software on their own? If a company can afford to make an example out of somebody, then more power to 'em. Most can't and won't.

“The bottom line is that you need a good, strong IT department with leadership and authority. You can't tell users in your company not to install screen savers then allow a cutie pie to sweet talk a member of the IT staff into helping them do it. You need to put something in writing and make sure all members sign off on it and are adequately trained to follow it.

“Money, time, training—everything needs to come from the top down or nobody will listen. Sell the boss the value of e-mail security, good system documentation, and policy editing. Create a formal policy...be ready to enforce it. Spend some money and time on technological safeguards and planning, making sure the higher-ups are on your side every step of the way. Keep them informed and make them understand what you're doing and why you're doing it.”
I'd love to sit down with the owner of a company and the employee who violated the Tech policy, and say, "Okay, this is what you did. This is what we told you not to do. This is how long it took for us to fix. This is how much money the company lost as a result. Any questions? Good. There's your warning. Next time, it's coming out of your Christmas bonus. Bah, Humbug!"
Go NT
MichaelStewart wrote: “Our solution is to roll out Windows NT wherever possible and implement several NT security policies, including granting only relevant access to the desktop. For our call center staff, the desktop is strictly controlled while our drafting users have some liberties. Just by moving to a controlled desktop, we have managed to eliminate 95 percent of our troublesome (regular) calls.”

ChuckSteffens, PC help desk technician, agreed. “One of the most effective methods we have found is makingourcorporatestandardaWindowsNTPC. This solution is not a perfect one and carries with it its own difficulties, but with base user permissions, users are not able to load software which alters the registry. Thispolicyhascutouruser-generatedproblemsbyapproximately80percent.

“There are a few drawbacks to this, such as:
  • We (the IS Department) now are responsible for loading all software.
  • A large percentage of the 'need specific' software out there—including all off-the-wall software which helps our users perform a highly specific task like Workers’ Compensation reports or Stock Options tracking—is very quirky when loaded on NT or when integrated with a network.
  • Windows NT requires much more extensive testing of prospective products (software and hardware).
  • If you must supply users with the local administrative password to a PC, the integrity of that PC is compromised.

“We have counteracted these difficulties in the following ways:
  • Implemented Microsoft Software Management System (SMS) to handle the bulk of software installations and user support remotely. This tool also allows us to audit all PCs on the network and determine if unauthorized hardware or software has been loaded on the PC. Transgressions of this nature are either brought to the attention of the user, their direct manager, or their area or regional manager depending on the severity.
  • We request a copy of all prospective products, test them in all applicable environments and under all different types of permissions, and document our findings prior to adding them to our list of supported products. If the software does not meet our criteria, but the users demand that they need it, we will, at our discretion, install it and inform them that all support must be obtained by them from the manufacturer of the software.
  • We created an administrative account on the network which we keep locked except when we are assisting a user in performing administrative functions on their PC which keeps the local administrative password more secure.”

In “Reining in maverick end users,” I asked for your opinions on the best way to protect the company's computers from end users who install unsupported software and hardware. I received a lot of e-mail from TechRepublic members who believe they’ve tamed the majority of their maverick end users. Here are some of the highlights.

The technical solution and the punitive one
Technical manager MattShuff offered this opinion: “There are two solutions—the technical one and the punitive one:
  • Technical: Unleash the power of policy editing and user access if possible. Take away users’ ability to do anything that they shouldn't do. IT departments don't typically spend enough time planning for a new user, analyzing the needs of current users, and documenting systems. There are all sorts of stuff out there to keep users from doing just about anything. Unfortunately, if we didn't have to fix copier jams, screen saver crashes, and cleaning up after viruses, maybe we'd have time to implement such solutions.
  • Punitive: Policies without consequences don't work. It's hard to treat professionals like children and even harder to take action on people who make the company a lot of money. What do you do to a manager or a top salesperson who keeps opening up mysterious attachments, downloading garbage off the Internet, and installing software on their own? If a company can afford to make an example out of somebody, then more power to 'em. Most can't and won't.

“The bottom line is that you need a good, strong IT department with leadership and authority. You can't tell users in your company not to install screen savers then allow a cutie pie to sweet talk a member of the IT staff into helping them do it. You need to put something in writing and make sure all members sign off on it and are adequately trained to follow it.

“Money, time, training—everything needs to come from the top down or nobody will listen. Sell the boss the value of e-mail security, good system documentation, and policy editing. Create a formal policy...be ready to enforce it. Spend some money and time on technological safeguards and planning, making sure the higher-ups are on your side every step of the way. Keep them informed and make them understand what you're doing and why you're doing it.”
I'd love to sit down with the owner of a company and the employee who violated the Tech policy, and say, "Okay, this is what you did. This is what we told you not to do. This is how long it took for us to fix. This is how much money the company lost as a result. Any questions? Good. There's your warning. Next time, it's coming out of your Christmas bonus. Bah, Humbug!"
Go NT
MichaelStewart wrote: “Our solution is to roll out Windows NT wherever possible and implement several NT security policies, including granting only relevant access to the desktop. For our call center staff, the desktop is strictly controlled while our drafting users have some liberties. Just by moving to a controlled desktop, we have managed to eliminate 95 percent of our troublesome (regular) calls.”

ChuckSteffens, PC help desk technician, agreed. “One of the most effective methods we have found is makingourcorporatestandardaWindowsNTPC. This solution is not a perfect one and carries with it its own difficulties, but with base user permissions, users are not able to load software which alters the registry. Thispolicyhascutouruser-generatedproblemsbyapproximately80percent.

“There are a few drawbacks to this, such as:
  • We (the IS Department) now are responsible for loading all software.
  • A large percentage of the 'need specific' software out there—including all off-the-wall software which helps our users perform a highly specific task like Workers’ Compensation reports or Stock Options tracking—is very quirky when loaded on NT or when integrated with a network.
  • Windows NT requires much more extensive testing of prospective products (software and hardware).
  • If you must supply users with the local administrative password to a PC, the integrity of that PC is compromised.

“We have counteracted these difficulties in the following ways:
  • Implemented Microsoft Software Management System (SMS) to handle the bulk of software installations and user support remotely. This tool also allows us to audit all PCs on the network and determine if unauthorized hardware or software has been loaded on the PC. Transgressions of this nature are either brought to the attention of the user, their direct manager, or their area or regional manager depending on the severity.
  • We request a copy of all prospective products, test them in all applicable environments and under all different types of permissions, and document our findings prior to adding them to our list of supported products. If the software does not meet our criteria, but the users demand that they need it, we will, at our discretion, install it and inform them that all support must be obtained by them from the manufacturer of the software.
  • We created an administrative account on the network which we keep locked except when we are assisting a user in performing administrative functions on their PC which keeps the local administrative password more secure.”

Use ZENworks
TechRepublic member GregA. wrote: “Our ‘maverick user’ botched a Microsoft IE 5.0 install that her boyfriend said would make her machine run better. What he didn't tell her was that thesecurityconcernsourMISdept.hasoutweighanysupposedincreaseinfunctionality. He also didn't tell her that you must finish the download before the ‘plusses’ can outweigh any ‘minuses.’ Her machine, one of the more important machines in the accounting department, was toast. It took two weeks of coordination with various bank-software vendors to get a new machine at her desktop.

“Using Novell ZENworks, her desktop and applications are locked down. Luckily enough, her boyfriend knows nothing about Novell (another plus for MIS). We threaten anyone straying from policy with the same fate. As they watch our wayward accountant, they realize that it's not worth the hassle just for WebShots screen savers, and they leave the internal workings to us now.”

Try WinShield
Tim had this recommendation: “All sorts of tips for editing registry, etc have been published to prevent changes. I've found a real inexpensive solution: WinShield, about $20/copy. It implements in a menu interface about 60 lockdown options on EVERYTHING imaginable that can be locked down, and can be unlocked to allow authorized changes and software installs (one user brought in his own unauthorized copy of PhotoShop). It is a nifty front end for all these registry changes.

“We only locked out the control panel, network, printer settings, registry, and the Run command. This saved lots of user time dinking with screen savers (which is contagious as they have to show all their co-workers how to do this). One sophisticated user (who has moved on to publishing Web pages) managed to delete the WinShield software because we hadn't locked out DOS boot, but the lockdown settings were still in effect in the registry and he still couldn't get in.

“With software like this, all user workstations are similar if operators have to switch between them. We only needed to send out a mild memo saying no changes as the options simply disappeared from the menu. While they love their screen savers, we've found the blank screen saves electricity and air conditioning. I don't work for WinShield; I just think it's a useful program that other IS departments might want to look at as a timesaver.”

Ghost to the rescue
MarkW. wrote: “We use Ghost software to keep the maverick users in order. The rule here is ifyoudownloadaprogramthattrashesyourmachine,wesimplybootfromfloppyandre-ghostthemachine. Twenty minutes later (unattended), they are back up and running. There is a small price, however. All those other things they installed or downloaded previously are gone and most of their settings are back to default. After they have to rearrange their screen and icons to get them just the way they like them, customize all their settings, and lose all those valuable screen savers a couple of times, it gets old for the maverick users and they begin to fear the dreaded re-ghost.

“This works for the CEOs, too. ‘I can get you up and running in 20 minutes or I can take this back to our work area and tinker with it for several hours in which case you will be without a computer.’ So far, we have 100 percent compliance on the 20-minute solution. It is most likely the easiest decision they have all day!”

Three strikes and you’re out
KevinNoble uses this approach in his shop: “Naturally we have struggled with this problem like most shops, so we took a look at the percentage of support calls stemming from the mavericks installing rogue software gone bad; itwashoveringabout18percent.

“Being a complete NT shop, we have the option to lock down the PC to a great degree. My counterpart administrator was sure we could not allow users to install applications. I, on the other hand, gave the users the 'three strikes' rule and then enforced the lockdown. Neither works well—users always protest any type of lockdown or limited permissions.

“We finally decided to pushthedecisiontothemanageriallevel and that seemed acceptable to most. Instead of an all-or-nothing rule for users, each group has an administrative account that is given to each group manager. Some group managers give the account to all the users under them and some restrict it to themselves or a key person within the group. By pushing the decision down, it sets us free from the debate. When something does go wrong due to rogue software installation, we make sure the manager of the maverick is well aware of the problem and we recommend the restriction of the Group Administrative account. Not as effective as a shock collar, but functional.

“Sure, you can argue that by giving them an administrative account they can do as they please. The users can use the administrative account to add the personal user account to the local administration group, but we find only a small percentage do. Most users never think of this and we don't share this information. By having this mental separation of the two accounts, they begin to understand as they are embarking on an administrative task that has risk involved. They must log off and log on with this account as if to make a journey into the unknown. Average users get apprehensive and call tech support. If you want to make a clearer separation, you could also script a dialog box with a warning message and a disclaimer if needed.

“This may seem like a more complex solution or appear not to be qualified as a solution, but only4percentofsupportcalls now stem from the maverick installation of rogue software. I guess it works.”
To comment on this article, please post a comment below or drop us a note.
Use ZENworks
TechRepublic member GregA. wrote: “Our ‘maverick user’ botched a Microsoft IE 5.0 install that her boyfriend said would make her machine run better. What he didn't tell her was that thesecurityconcernsourMISdept.hasoutweighanysupposedincreaseinfunctionality. He also didn't tell her that you must finish the download before the ‘plusses’ can outweigh any ‘minuses.’ Her machine, one of the more important machines in the accounting department, was toast. It took two weeks of coordination with various bank-software vendors to get a new machine at her desktop.

“Using Novell ZENworks, her desktop and applications are locked down. Luckily enough, her boyfriend knows nothing about Novell (another plus for MIS). We threaten anyone straying from policy with the same fate. As they watch our wayward accountant, they realize that it's not worth the hassle just for WebShots screen savers, and they leave the internal workings to us now.”

Try WinShield
Tim had this recommendation: “All sorts of tips for editing registry, etc have been published to prevent changes. I've found a real inexpensive solution: WinShield, about $20/copy. It implements in a menu interface about 60 lockdown options on EVERYTHING imaginable that can be locked down, and can be unlocked to allow authorized changes and software installs (one user brought in his own unauthorized copy of PhotoShop). It is a nifty front end for all these registry changes.

“We only locked out the control panel, network, printer settings, registry, and the Run command. This saved lots of user time dinking with screen savers (which is contagious as they have to show all their co-workers how to do this). One sophisticated user (who has moved on to publishing Web pages) managed to delete the WinShield software because we hadn't locked out DOS boot, but the lockdown settings were still in effect in the registry and he still couldn't get in.

“With software like this, all user workstations are similar if operators have to switch between them. We only needed to send out a mild memo saying no changes as the options simply disappeared from the menu. While they love their screen savers, we've found the blank screen saves electricity and air conditioning. I don't work for WinShield; I just think it's a useful program that other IS departments might want to look at as a timesaver.”

Ghost to the rescue
MarkW. wrote: “We use Ghost software to keep the maverick users in order. The rule here is ifyoudownloadaprogramthattrashesyourmachine,wesimplybootfromfloppyandre-ghostthemachine. Twenty minutes later (unattended), they are back up and running. There is a small price, however. All those other things they installed or downloaded previously are gone and most of their settings are back to default. After they have to rearrange their screen and icons to get them just the way they like them, customize all their settings, and lose all those valuable screen savers a couple of times, it gets old for the maverick users and they begin to fear the dreaded re-ghost.

“This works for the CEOs, too. ‘I can get you up and running in 20 minutes or I can take this back to our work area and tinker with it for several hours in which case you will be without a computer.’ So far, we have 100 percent compliance on the 20-minute solution. It is most likely the easiest decision they have all day!”

Three strikes and you’re out
KevinNoble uses this approach in his shop: “Naturally we have struggled with this problem like most shops, so we took a look at the percentage of support calls stemming from the mavericks installing rogue software gone bad; itwashoveringabout18percent.

“Being a complete NT shop, we have the option to lock down the PC to a great degree. My counterpart administrator was sure we could not allow users to install applications. I, on the other hand, gave the users the 'three strikes' rule and then enforced the lockdown. Neither works well—users always protest any type of lockdown or limited permissions.

“We finally decided to pushthedecisiontothemanageriallevel and that seemed acceptable to most. Instead of an all-or-nothing rule for users, each group has an administrative account that is given to each group manager. Some group managers give the account to all the users under them and some restrict it to themselves or a key person within the group. By pushing the decision down, it sets us free from the debate. When something does go wrong due to rogue software installation, we make sure the manager of the maverick is well aware of the problem and we recommend the restriction of the Group Administrative account. Not as effective as a shock collar, but functional.

“Sure, you can argue that by giving them an administrative account they can do as they please. The users can use the administrative account to add the personal user account to the local administration group, but we find only a small percentage do. Most users never think of this and we don't share this information. By having this mental separation of the two accounts, they begin to understand as they are embarking on an administrative task that has risk involved. They must log off and log on with this account as if to make a journey into the unknown. Average users get apprehensive and call tech support. If you want to make a clearer separation, you could also script a dialog box with a warning message and a disclaimer if needed.

“This may seem like a more complex solution or appear not to be qualified as a solution, but only4percentofsupportcalls now stem from the maverick installation of rogue software. I guess it works.”
To comment on this article, please post a comment below or drop us a note.

Editor's Picks

Free Newsletters, In your Inbox