I have been far too liberal in giving admin rights to my XP users. The improved User Access Controls in Windows 7 should help me break this habit.
I've been running across a lot of great Windows 7 ramp-up material lately. With the public release of the new operating system just over the horizon, there are a lot of tips around. It's ironic that there are so many "before you install" pieces coming out, since lots of IT pros have already been working with the release candidate of the OS for months. I'm never one to look the proverbial horse in the mouth, though, especially since I never really implemented Vista in my office. It's helpful for me to have an informed voice to let me know how improvements in Windows 7 might make my life easier.
One of the developments I'll appreciate most is touched on in Bill Boswell's recent "The 10 Things to Do First for Windows 7," published on Microsoft's TechNet site. Bill's piece is a larger discussion about transition and deployment considerations, but item number ten on his list skewered me in the vitals: "Remove your users' local-admin rights."
I'm guilty of giving out local administrator accounts too freely. It was Windows XP that forced me into that position, though. Certain tasks couldn't be accomplished in that operating system unless one was using an account with administrative rights. Because there wasn't a graceful means to interactively escalate privileges, I ended up giving out accounts with more access than I should have. I had no choice. I tried to be a hard case for a while, but our staff couldn't get work done and all my time was spent running around temporarily elevating users' privileges to facilitate trivial tasks. Loosening my security standards let my users become more self-sufficient, but I then saw problems increase as people gained the power to break things.
Windows 7 is designed to be smarter about account privileges and make it more viable for users to run Standard accounts. Applications that try to make changes to protected areas will be redirected, and rights to perform certain low-risk system chores have been granted to non-Admin accounts. It sounds like Microsoft has listened to users' Vista feedback by making the interactive User Access Control feature less annoying. (Having to authorize even minute tasks made people inclined to turn off UAC entirely, putting efforts to limit user rights back to square one.)
I'm still evaluating how Windows 7's UAC implementation will work for mobile users. They were the first folks I had to give out Admin accounts to under Windows XP. I'm also going to be sampling the applications we use to make sure they'll run properly under Standard accounts. Thankfully, Microsoft has made a tool to help me do that. I'll be leaning pretty heavily on the Standard User Analyzer Wizard and the Windows 7 Application Compatibility Toolkit in the weeks to come. I'm not certain yet that I'll be able to hold to a Standard Account in every use case. I have high hopes, though, that I'll be able to stop giving out elevated privileges simply to make the office go.