General discussion

  • Creator
    Topic
  • #2259214

    users with administrator privilege

    Locked

    by storch ·

    Hi,

    This may seem very basic to all of you but it is a real problem for me and I need your help in solving it.

    For years, all the employees where I work have had administrator privileges on all of the computers, even though most of them don’t know what that means.All the computers have the same login and password. It is a free-for-all. As you can imagine, it is a tangled mess.

    To their credit, the Macs on the LAN have fared much better than the Windows machines. However, even the Macs have some problems due to the total freedom that users had to merrily download and install.

    I can get this mess straightened out IF I am allowed to lock everyone out so that once I get everything cleaned up, I can keep it that way.

    My problem is in convincing management that only I – or another tech of their choice, should be allowed administrator privileges. I have showed them with the numbers how much money they can save by me not having to constantly chase both phantoms
    and real nasties. They are still not convinced. They like the idea of everyone being able to do whatever they want, whenever they want. They don’t really realize how much downtime is caused by this “freedom”. I apparently haven’t presented a strong enough argument as yet.

    Any suggestions would be appreciated. Thank you.

All Comments

  • Author
    Replies
    • #3230842

      Business case

      by curlergirl ·

      In reply to users with administrator privilege

      Usually, the business case for security issues like this is made by illustrating what could happen if someone got unauthorized access to your network. The cost of your having to go around and clean up after everyone is a hard case to make. From management’s standpoint, they’re paying your salary, and if that is part of your job, they don’t see that making your job easier or making you more efficient is going to save them money. We all know that it will but it’s hard to convince upper management. Perhaps looking at the bigger picture, which is what they will want to see, will help. Look at it from an overall security standpoint, including concerns like network intrusions, trojans and malware that allow hackers to steal information, etc. Depending on what type of company you work for, this could be easy or hard. If your company is in the retail, financial, legal or medical field, where there is a lot of consumer confidential information in your systems, it’s easier to make the case that it could cost the company hundreds of thousands if not millions of dollars (in law suits, etc.) if some unauthorized person got into their system and stole customer information. If you’re in a different field, the case might be a little harder to make, but at least you can always make the case that a disgruntled employee with such total access to systems could trash their entire network and walk out the door. That would certainly cost a great deal and, depending on how good their disaster recovery systems are, they could even lose vital data.

      I just had a somewhat acrimonious newsgroup argument with another network admin about this issue and the idea of “trusting” or “not trusting” your employees. He claimed that he trusted his users and they trusted him, so they wouldn’t do anything to trash their machines. I argue that it isn’t a matter of trust at all. Of course you want to trust your users, and most of them will of course be completely trustworthy. But it’s naive to ignore the fact that even a single user with administrative acess to systems, who for some reason forms a grudge against the company, could do some serious damage. This happens with formerly trustworthy employees every day; it’s why many companies now, when they fire someone, don’t even allow them to return to their desks before leaving the building. I’ve had clients instruct me to lock an employee out of the network at a specific time of day because that’s the time they were going into the human resources office to be fired.

      I don’t know if these ramblings have been helpful, but I hope they’ve given you some ideas.

      • #3230820

        Thanks!

        by storch ·

        In reply to Business case

        Curlergirl,

        Good points!

        Regarding trustworthiness- I do trust the users for the most part. But I have found that problems are being created perfectly innocently on the users’ part. And then there is always the possibility of that occasional ex-employee with a grudge.

        Thanks for your help.

        PS I am embarassed to say that I knew nothing about Curling until I saw it in the Olympics. Fascinating. Do you play?

        • #3199683

          Curling Rocks!

          by curlergirl ·

          In reply to Thanks!

          Yes, I play, very enthusiastically. And don’t be embarrassed – almost no one in the U.S. knew about it until the Olympics, except in the upper Midwest states. In Canada, it’s so popular it’s like bowling or even baseball in the U.S. in terms of how many people do it.

          I started about 18 yrs. ago and plan to continue as long as I can. It’s a great game, requiring brains, physical control and strategic abilities more than brute strength, and something you can continue well into your “senior years.” If you want more info about it, go to my club’s website – http://www.norfolkcurlingclub.org.

      • #3208995

        Completely agree

        by pkr9 ·

        In reply to Business case

        All your points are valid, but most bosses won’t understand as their world is what they (or their teenage son) does at home. “Hey let’s use this thing called Windows, people use it at home, so we save on education”. Ever heard that phrase?

        Ask them to hand out the building master keys to everybody. Why should access to the building be more strict than access to vital information ?

        rgds
        Peter

      • #3205776

        show them what could happen…

        by arlie1982 ·

        In reply to Business case

        I started working for a small title company about 8 months ago. When I came in everything was a mess. Everybody had admin rights on every machine. I came in and made a comment to my boss that it wasnt good. I showed thim what one machine could do and almost inmediatelly he gave me control over the network. Our network was so slow, spywares, adwares even viruses where crawling on our network. Once I cleaned it all up I locked dumped everybody down to users. It was a pain but after that uptime and network performance boosted up. Hope this helps!

      • #3205767

        Give them access to what they need

        by sully ·

        In reply to Business case

        If you know what they need specific access to then give them that access explicitly. You can provide access or go into advanced to supply specific “drilled down” permissions to certain folders. The best routine for this is through proper OU and GP management. Create an OU for these admins and add their user accounts to them. Open the properties for that OU and apply the appropriate GP to it. Then fine tune it by adding directory permissions where applicable. No one but admins need full permissions over the drives; however, some folks may need “almost” full permissions over certain directories within the drives. You can tighted security by requiring username and password information for all access and by disabling the caching of passwords on the local machine but that may not be the best solution, it rarely ever is and makes your job more daunting. If they are able to do their job without knowing that they don’t in fact, have “full permissions” on all of the drives then you’ve won and they’ve won. If they still manage to think that they are supposed to have “full” permissions then document accordingly and give it to them and document all of the issues that come up that result in you doing more work for their screw ups, just don’t label it that way. Present the case, bring the focus into perspective and offer a solution and then train them in how to use their network. The analogy I’ve used in the past has been related to a person’s relationship with their accountant. Yes, they have the right to see everything the accountant does and should be able to change anything they want; however, why did they hire the accountant in the first place? Usually, we all hire experts to delegate the burden and control effectively and we trust those experts to handle the tasks and responsibilities of those jobs. I can’t see the reason for allowing any “Non-Administrator” full permissions over anything, unless a specific program or process requires it, like some DOS apps. The other issues that come up are that sometimes upper management “needs” something because a lack of training tells them that they need something they don’t. Ask enrolling questions, get their answers and discover how they are using the network, then compare that data to how you need them to use their network and discover a course of action to achieve that result. My thoughts are that this is a mix of training and a mix of communication that is getting lost in maybe jargony terms and lack of enrollment. Keep it simple and clear and always take care of your bosses, just cover your a$$ with appropriate documentation.

    • #3230834

      They pay you the same amount either way

      by jdclyde ·

      In reply to users with administrator privilege

      so that is not where you want to build your case.

      Look towards end-user down time. When they pick up the latest virus/malware, how long are they down on average? What would it take to prevent this down time?

      Keep in mind, your job is NOT to keep systems in a set config, it is to make sure the users can do their job. Period. If the user can not do their job, there is a problem that needs to be addressed.

      Lock down the insecure sections as much as you can, without restricting what the user can do. More than that, and in the current environment you will just be seen as the wannabe IT-Nazi on a power kick.

      You have to show them how THEY benifit. They don’t give a rats a$$ about how YOU benifit, so leave that out.

      Good luck.

      • #3230818

        you’re right

        by storch ·

        In reply to They pay you the same amount either way

        Thanks jdclyde,

        I actually am concerned about stepping on toes and perhaps appearing like I’m a cop.

        For me, it truly is about having everybody be able to do their work unencumbered by computer hassles. I see what you mean. I need to show management how the Users will benefit. I will leave the part about me out.

        Thank you

        • #3230815

          Been there, done that

          by jdclyde ·

          In reply to you’re right

          won the cookware. 😀

          I have already been through this same thing, and still do to a point. The voice of experience.

          Oh, non-geeks have heard so much doom and gloom from the people pushing security products, they are pretty numb to a lot of that as well. They are like kids, with the “It won’t happen to me” attitude.

          Good luck.

        • #3283764

          Not all. . .

          by bkinsey1 ·

          In reply to you’re right

          Don’t just show them benefit for the users, show them benefit for the business, chiefly in the form of reduced risk.

          The risk of data loss or theft has already come up, and it’s valid. But equally valid is accountability. That same login and password should situation should scare the crap out of any manager whose vocabulary includes the word “lawsuit”.

          To illustrate, suppose any number of things: an employee surfs where they shouldn’t and gets into legal trouble, somebody manages to infect their system with the latest file-destroying virus, which spreads through the swiss-cheese security and destroys (or worse, alters) your quarterly financials, or whatever. Who did it? Who knows! Even if you trace the login, it tells you nothing. Most management understands “CYA”, and would tend to want to fire the person responsible. But if you can’t document who that is, you’re looking at possible wrongful termination suits. (Extreme case, admittedly, but something along those lines)

          As far as local admin rights for users, I tend to think of it as the bane of our existence, but there are points on both sides, depending on business needs of the users. Worst thing about it is probably security – any malware will run under the user conext of the logged-on user; if they’re an admin, there are basically no limits to what it can do.

          Hard battle to fight, but worth winning. . .

        • #3208988

          A little at a time

          by emar1000 ·

          In reply to Not all. . .

          This brings back memories of my old job. I had the same issues where I worked as a help desk tech. And sad to say even the network/ server admin really had no clue what real security was. It was an uphill battle every step of the way. So I just found myself backing off and took a different approach. Now granted at the time I was not the server admin so I had no access to do it from there. It took a little time but I eventually made it to all 200 pc?s and locked them down just a little bit at a time. I know this may not be exactly the answer. But maybe doing it a little at a time might work.

        • #3205805

          A sign of an immature workplace

          by jtakiwi ·

          In reply to Not all. . .

          The situation as described is one I (and probably all of us) has encountered at leat once. Myself, much more than once, due to the nature of the business I’m in. One such client said they wanted their employees to be able to do what they wanted and didn’t see the point of restricting their employees in any form or fashion, especially the salesmen. “They must be able to do their job, regardless, so the must have full rights to everything on their local computer”. So, I asked if porn was part of what they had to have access to? i even mentioned limiting their rights wouldn’t keep them from looking at it, just limit them from downloading the crapware that sites like that tend to try and load. No dice, “my salesmen must be able to do anything!” was the mantra, totally dicounting the fact these guys were basically computer illiterate. Their only “skill” on the pc being limited to surfing porn sites at prodigious rates. Faced w/ facts, the owner of the company was show stats and staggering downtime (to the tune of three or four hours a month, per pc) due to just spyware removal. These clowns would even disable the av software because it would block a virus, mistaking it for stopping the download of who knows what. Needless to say, nothing worked. We locked down what was possible, but if the company doesn’t want to stop their behavior, there is reeally nothing you can do to change it. To CYA, create a IT risk assesment, cover it all, from UPS’s to data loss, to legal action (all that porn, someone was looking at kiddie porn, that’ll get you shut down asap). Update your resume and start hunting for a new job, unless you like changing the diapers of morons.

        • #3205765

          I have to agree 200%

          by emar1000 ·

          In reply to A sign of an immature workplace

          That is one of the bigger reasons I do not work there anymore. I am not into babysitting. When I had to re-load this one persons pc four times in six months and STILL no one said anything when I made a big deal out of it. Kind of made me feel like an idiot (for about 2 minutes) then started looking for another job. The job I have now is perfect, they don?t play the user games. I have been here almost a year and 5 people have been fired for internet abuse. I need to stop here or I can really get on a soap box. Just one last thing not that it matters. I have even got very hard on users outside of work. If I tell the person once they need to stop all the ridiculous downloading, if they don?t they no longer get my help. I have better things to do. See told ya I can get on a soap box.
          Cheers

    • #3230825

      Methods

      by mjd420nova ·

      In reply to users with administrator privilege

      One way I had of demonstrating what that kind of open system was to take a file cabinet drawer, loaded with outdated files, valid files, batabase, employee records, accounts payable, accounts receivable and inventory. They were assembled in various subfolders etc. It was quite similar to the file system present in the computer system. I asked each person that had free access to the system to look in the drawer and pull out a file, random file names were drawn from a list of those present. Most could not find any files that they hadn’t generated, as they at least remembered their own particular route to find them. That kind of hit a sore spot with just about everyone but really struck a nerve with the owner. He couldn’t even find a single file and gave up after 6 failed attempts. Then he expressed his displeasure by locking down the system upon realizing that he wasn’t running the company, everyone else was. I did not include any of the photos, some nude and others explict, or the personal e-mails and countless joke sheets and football pools. That might have cost them all their jobs. Then the realization set in when they found that the information they had on the system was available to anyone, you just had to poke around and look.

      • #3230769

        great demo

        by storch ·

        In reply to Methods

        Mjd,

        I love this! What a great way to graphically demonstrate the situation. You’re very creative. I’d like to try it if you don’t mind me stealing your idea.

        Many thanks.

        • #3230746

          Go for it.

          by mjd420nova ·

          In reply to great demo

          It’s not really a patent or copyright. I originally used the idea in my own home after trying to find some photos that the kids had downloaded. My cure was to set up a machine for each child, and what they did I didn’t care, if they got lost, so be it. If they got infected or hijacked, they had to admit quilt and assk me to clean it up. I don’t mind, as it allowed me to show them what affect they have on their units with the helter skelter way they copied, downloaded and acccessed websites. They became more compliant after a couple sessions. Good luck.

    • #3199863

      Administrators

      by absolutely ·

      In reply to users with administrator privilege

      I were your boss, the one fact that you haven’t posted and which I would insist on having before allocating any more money to your department is: how much will it cost to implement your “improvement”? [i]I[/i] know it’s dirt cheap to make a hard drive image with Norton Ghost and deploy it to your entire local network, but have you told your boss how cheaply you can prevent this costly downtime?

      • #3283800

        $ considerations

        by storch ·

        In reply to Administrators

        Yes, I have told my boss how cheaply I can prevent this costly downtime. Whereas he is certainly interested in the money aspect, that has not been enough to convince him.

        Consequently, I came here to get some more ideas and I have. Very good ideas too. I appreciate all of the responses. I know how busy everyone is. You’re a good group of folks here at TechRepublic.

        I am the only one of my “species” 🙂 in my dept. so sometimes I get to feeling rather isolated.

        Thanks

    • #3199656

      Stealth approach

      by oldbag ·

      In reply to users with administrator privilege

      When I first started at my current position, the network was in a similiar situation except most of the PC were W98. There was nothing at all to stop anyone from using the systems.

      Over time, hardware has been upgraded. As I configured each new system (in my work area), I configured them for a user and password. Nothing at all was said about admin privledges. I only get questioned on this occasionally and that is usually when someone wants to install something. The admin password is not given out.

      • #3283795

        a possibility

        by storch ·

        In reply to Stealth approach

        I have thought of that approach and I wonder if I just should have gone ahead and done what needed to be done without asking “permission”.

        It sounds like it worked out fine for you. I am somewhat surprised that you weren’t asked any more questions than you were – but that’s great.

        Thanks for your thoughts on this.

        • #3205670

          It worked out because….

          by oldbag ·

          In reply to a possibility

          most of my users are not exactly what could be called ‘power users’. I setup the systems with necessary apps and most of the time, nothing further is needed.

    • #3209007

      Try “clerk” or “janitor”

      by m.jarvis ·

      In reply to users with administrator privilege

      I once read an amusing account of an academic UNIX admin with this problem–all the PhD’s had “reasons”–and clout–to force him to give them the root (UNIX administrator) password. He solved the problem by changing the name of the administrator account to “clerk” and the demand for THE password dropped sharply. I suppose that “janitor” would work just as well–and sysadmins ARE electronic janitors.

      It would be a little harder to pull off in a Windows environment, but HEY, it’s fun to think about.

      -mj-

      • #3208991

        Love your reply!!

        by joyce.lippens ·

        In reply to Try “clerk” or “janitor”

        And it worked!! Amazing what people with “clout” want things to look like BEFORE they consider them worthy of their use! Brilliant!!!

    • #3209001

      My thinking on this..

      by sevenex ·

      In reply to users with administrator privilege

      Maybe one of these could work, but it’ll depend on if they’re willing to undergo the expense, either of your time or the extra equipment or setups in #2.

      1) Warn them if everyone has a free-for-all that it may require whatever they have installed or important data not backed up to be “hosed” if it’s just too much trouble and fuss to clean it up, particularly if a nasty is caught that makes significant or critical changes, such as the file system. Sometimes, time is of the essence unless your management has the Devil May Care attitude about things. Keep mirror images of a clean system and be prepared to ghost.
      2) Perhaps having alternate computers, a kind of community computer(s) also networked could help you drive home your argument. Lock down the important machines as you suggest, yet have the alternate ones as those free-for-all’s so they will see what happens, and document it whenever anything is required of any computer for A->B comparison including installation of all apps. Hopefully the overall network can support the extra bandwidth demanded by this solution, although I worry if these share the same network that a nasty may still propagate regardless, so a separate subnet separating these two classes would better prove the case, albeit even more expensive! Each to their own I say, but do be careful with the politics that they cannot be allowed admin access on the important or lockdown machines. Especially when dealing with non-tech sales, this can quickly become problematic and make the validity of your results as invalid. If you are to conclusively prove your point, the above can’t be violated, NOT EVEN ONCE!
      3) As an in-between, have the company approve a policy of requiring approval of any and all program apps, regardless of one’s standing or position. That would be ideal in my opinion. In your favor, you’ll be able to review if installation of apps on the company’s workstations or network is legal or requires licenses in the environment – a perfectly appropriate role for any attentive admin to attend.

    • #3208998

      Use Financial Figures as a Weapon

      by ssp ·

      In reply to users with administrator privilege

      It is very simple as well as complex. First and foremost you should have some kind of ?Financial data? in your hand. Collect some kind of Financial data and show it to your management. Management never worries about the latest anti virus patches or fire wall policy/setting, they are just worried about monitory aspects. Hence if you prove that there is a substantial loss both in form of time and money by showing your figures , i am sure they will defiantly pay the heed.

    • #3208989

      Sometimes….

      by joyce.lippens ·

      In reply to users with administrator privilege

      The best case is proven in the pudding so to speak….Questions: Has the network ever been compromised to the point of complete disaster? Do you have a good disaster recovery plan? Sometimes upper management will not listen until you have a “reaction” situation instead of a “proactive” situation as it sounds you are trying to create.

      I read a few of the posts and they all had wonderful ideas! I really liked the idea of making the administrator id clerk or janitor….that was one of the best I had heard yet!

    • #3205832

      Use the leverage in Sarbanes Oxley law

      by jbwardlaw ·

      In reply to users with administrator privilege

      Your executives obviosly do not understand their legal repsonsibilities about proper internal control. I recommend that you review the Sarbanes Oxley law. It spells out how internal control must implemented. Data and Network security are totally involved.

      • #3205755

        Hooray!!!

        by sully ·

        In reply to Use the leverage in Sarbanes Oxley law

        Yes, that is the ticket. There is even more to come with this law and others that are sick and tired of business’s obvious abuse of data security because an owner thinks he/she needs to make everything easy. Good call.

        • #3205742

          IF the co. is publicly owned

          by curlergirl ·

          In reply to Hooray!!!

          Sarbanes-Oxley only applies if the company is publicly owned (i.e., stock is publicly traded). This is not the case with 90% (or more) of the companies in the U.S., so be careful. For example, the clients I work with are all very small companies – usually 100 or less employees – all of which are either partnerships, sole proprietorships, S-corps or limited liability corps. None of them are subject to Sarbanes-Oxley. If I brought it up to them, they would just thumb their noses at me, particularly since a lot of them are lawyers!!

          Edited for grammer – for all you grammar-mavens, I meant to say, “usually 100 or FEWER employees” not “100 or LESS”. 😉

        • #3282547

          True, but consider this

          by paulinglis ·

          In reply to IF the co. is publicly owned

          Sarbanes-Oxley or not, does your company (no matter how few employees it has) do business with other companies?

          I ask this question because your employees may take their laptops and connect to another company’s network.

          Is your company willing to take the risk of infecting another company’s network with viruses/trojans?

          And remember the company is responsible for the actions of its employees. If you have someone who is a loose cannon, it’s not just your own internal systems that are at risk: that employee might do damage to your other companies systems as well (even just via email). And guess who is held responsible? Yes, the employer. Particularly if you can’t even identify which of your employees was responsible.

          This isn’t just hypothetical – I’ve been involved in legal situations where employees of Company A has sent lewd, threatening (or just generally inappropriate) emails to an employee of Company B. All of a sudden you’ve got a lawsuit on your hands. And if most of your clients are lawyers then they really ought to know better. I think they should hire somebody with Compliance qualifications quick smart.

          If that doesn’t scare you enough – one day you might have an employee downloading very illegal stuff. When the Feds come to your office they’ll arrest YOU, Mr or Ms Network Administrator. That’s no joke, and yes it really happens.

    • #3205825

      CYA, and then…

      by carlsondale ·

      In reply to users with administrator privilege

      I hate to say it, but you need to CYA. Write a recommendation in the form of a letter, which includes your justification(s) to the decision-makers. Send it HARD-COPY, cc: anybody else who might be involved in the process, and request a response by a certain date. This will have the effect of covering your behind, as well as applying pressure to the decision-makers (because now they have to put their decision in a historically-verifiable format).

      You might look at some other technical solutions also. Set up separate User and Admin accounts for everybody. Have them all login with their user account, and then use RunAs to install programs as they need to. It’s not perfect, but it makes them think about what they really need. It’s also the best practice (for admins as well as regular users).

      You might also think about security templates, which come with Windows, can be modified to your needs, and installed locally or through Active Directory.

      • #3205758

        RunAs for users???? eh,,,,, no, please don’t

        by sully ·

        In reply to CYA, and then…

        Users don’t even like passwords, now you want to give them a back door? Don’t do that. If you have secure data, get in a domain environment. If this were windows 2000 or better you could apply the appropriate GP over the proper OU structure and configure the right DFS roots to access the appropriate shares accross the domain if you really wanted to do something savvy. Take a hard look at this question. “If I were designing the network infrastructure right now with the current available staff, what would it look like and how would I do it so that everyone was happy and security regulations were met?” I understand that it is even more difficult to sell another approach and/or more software/OS’s but if you’re not in a domain environment this is all for nothing and you won’t really be able to lock down anything. They will need some sort of elevated priviledges to do somethihg in the network and if there are shared printers from a box that is not locked down and on the internet your files are fair game for any savvy person who wants them. Again, the RunAs function is an administrative work around so that an administrator doesn’t have to log the user off and back on again do install a printer. It is best practices for the admin only and saves a company money in resolving common administrative tasks. I monitor several networks with AD and exchange with remote access and several vendors “needing” “full access”. They think they have it, but they dont and they will never have it as long as I’m hired to take care of these businesses “critical needs”. They get what they need when they provide a clear request that includes a reason that is justifiable. Even then I look for an alternate way of locking it down even more. There are laws in the US being created now that will fine any publicly traded company that has major network security holes. Companies cannot hide behind the “easy” administration tecniques, they will have to comply or fly.

        • #3205698

          RunAs

          by carlsondale ·

          In reply to RunAs for users???? eh,,,,, no, please don’t

          I’d certainly agree that using an OU structure with appropriate GPs is the way to go IF you’re using Active Directory (storch didn’t say one way or the other).

          I might’ve only implied it, but if setup to use RunAs, each user would have TWO accounts – one as a User, and the other with “enhanced” permissions that can be setup using Local Policies or in AD as you advocate (and which users could think of as their “administrator” logon). Microsoft, among other leaders in the industry, recommend this method as a best practice for everybody (who needs it), whether in a domain or not, not just as a work-around.

    • #3205804

      It is not all about you

      by haligonian ·

      In reply to users with administrator privilege

      There have been a number of good replies as to how you can create the technical arguments for restricting access of the users. What I haven?t seen is how to present to managers. Learning how to prepare the argument/position is a way that is ?manager ready? is something most of us IT people are not great at. We think that if we can show them the logic they will follow.

      What we often forget is that managers are not dumb people. They analyze business cases on a regular basis and are looking to see the balance and trade offs. If you present to them a fully one sided view of an argument they will not be convinced. They know from their years of business experience that changes like this have a trade off, and they want to see both sides of the argument (savings and additional costs), but it is not up to them in their busy day to go and figure it out. Based on your comments about them liking the idea of the users being able to do whatever they feel like on the systems, they must have some sense that there is a business need for this, whether it is a technical need or because they feel it is good for moral to not create a difficult user environment.

      Some of the things I would try to address in your presentations would be the following:
      1)How often do users have an actual business need to have administrative privileges? As a consultant it would really piss of my clients if I couldn?t arrive on their site, install whatever software I needed, and get to work right away.
      2)How will this increase the number calls to the help desk because users ?can?t do what they want to do??
      3)How many additional people are required to address the increase in calls to the help desk?
      4)How will you determine if you will perform the requested work when you get to the users desk? (?I want to install World of Warcraft on my laptop?)
      5)What will be your service level agreement for performing the tasks that require admin rights that the users use to be able to do themselves?
      6)If you have mobile employees, will you provide remote support, 24 hours a day?
      7)Will there be any exceptions (do you have supper users in your environment?)
      8)How will you address the new single point of failure that only you can have admin rights (and probably only one other person isn?t enough to satisfy a manager)?
      9)How do you address (in the manager?s mind) looking like you are trying to have some built in job security as being the only one who can do this?
      10)How will you let the users know what is changing and what they will experience that is different in their systems?
      11)How will you make this change to all of the system in a timely manner that will not disrupt the business?

      There are others, but these just jumped out at me. These may not be easy things to get a handle on factually, but if you don?t have the information to back up the business case, then don?t bother presenting it. Remember that from a management perspective it is not all about you. It is about the tradeoffs of change, and how it affects the business and users, both technically and emotionally.

      • #3205789

        All good questions ….

        by j alley ·

        In reply to It is not all about you

        … and I bet you can answer most of them in a way that gives your senior manager a warm and fuzzy feeling that you have it all under control. For some like the last 2, you might even present a small project plan so that your manager knows what to suspect.

        Those that don’t have a direct answer can be resolved by proposing a policy – such as your SLA, that mobile users will have the admin password but also their own to do their work and will ‘connect as’ to do admin tasks, etc. Present the draft policy with the project plan, risk analysis (the stuff in my other post) and the business case and you should be on your way.

    • #3205799

      Consider also SW License compliance and others

      by j alley ·

      In reply to users with administrator privilege

      I’m not a big fan of aggressive CYA and as a senior manager, an employee who asks me to respond in a certain time frame to a CYA memo undermines her own credibility.

      Many good points here – and I too love the one that changes ‘admin’ to ‘janitor’.

      One that has not been brought up is the issue of managing software license compliance. With everyone having admin privileges and having the same userid/pw, your company almost certainly has illegal copies of SW. The SW industry is getting more aggressive and any audit would find your illegal SW, and they would shut you down until you got it fixed. If you don’t there is big lost time and big lost credibility with your clients.

      Another has to do with Human Rights legislation and anti-harrassment legislation (which vary a lot between jurisdictions). Now this isn’t necessarily fixed by removing admin rights, but all those off-colour (Canadian spelling) jokes, photos etc. have been considered in some as ‘contributing to a poisoned work environment’ and managers have been found responsible. If your firm allow everyone to use the admin account, it likely does not have good policies on acceptable computer use. Those policies, and the ability to identify who is doing what on the system, are key to defending management in harrassment cases. If you don’t there is big lost time, big lawyer bills, big lost credibility, and possibly future challenges to hire the people you need if you are know as a harrassing company.

      And, one more, but this is more of a way of selling. We want to put these controls on so that no-one can accuse you of doing bad things (sabotaging the company, harassing, fiddling the books) when you didn’t but someone else did on your machine using the common password. What if Enron execs didn’t actually do that stuff and some junior staffer framed them? What if it happened in your company? This is like installing locks on cars so that everyone can be sure theirs is where they parked it when they come back. And it is pretty cheap locksmith work at that. If you don’t there could be big lost time in the slammer, big lawyer bills, big credibility loss and possibly bankruptcy.

      Good luck!

    • #3205795

      Stability

      by truthiness ·

      In reply to users with administrator privilege

      I have our desktops locked down, and haven’t had any real trouble keeping it that way. My argument is pretty simple: Locked down desktops=greater stability=greater uptime=higher productivity. People come here from other, similar businesses, and remark on how stable our network is. I tell them (and it’s true) that it’s because we have the machines locked down so that users can’t install whatever programs they want, and viruses and spyware can’t run amok. I’m a one-person IT shop, and the less time I spend on desktop support is more time that I can spend on big picture projects.

      Having the desktops locked down actually creates more work for me sometimes in the short run. Anytime a user legitimately needs a program installed, I have to do it for them. We have problems with web sites that want to install ActiveX, I have to do that for them. I always drop what I’m doing and rush to do these things for the users. I apologize to them for the inconvenience, but explain how we do it to keep the system stable and secure. I’ve been running this way for 5 years with no serious challenges.

      BTW, Vista is supposed to improve this situation somewhat, by making rights management more granular. There will be additional user levels besides just administrator, power user, and user.

    • #3205793

      Beware locally written software

      by rberns ·

      In reply to users with administrator privilege

      A corporate I work with has various in-house written software. Unless the user has local administrator rights it fails.

      So before removing local admin, thoroughly test the configuration.

      • #3205605

        Not just local software

        by hal jordan ·

        In reply to Beware locally written software

        Local software is, for me, less of a problem, since I’m the one writing it, and can therefore do so apprpriately for the task and enviroment required.

        However, COMMERCIAL software continues to be the biggest headache. Avid editing applications, various encoders, etc. either fail due to setting the wrong security on registry keys, or (escpecially in the case of Avid) REQUIRE the user to be an administrator just to get the software to even run — even when there is only a minor service access which might be elevated to do the job.

        Until more commercial developers are forced to operate within a properly secured environment, not of this will change. It will be interesting to see what happens once Vista is in place, and these developers address its security environment. But I, for one, am not holding my breath…..

    • #3205775

      Regulatory environment

      by dlaughlin ·

      In reply to users with administrator privilege

      If you are part of an industry with any regulatory requirements, such as banking, healthcare, insurance, any publicly traded company, etc. the compliance requirements offer a good basis for your point.

    • #3205753

      Accept it

      by bellyware ·

      In reply to users with administrator privilege

      In my humble opinion, you used all the arguments that count.
      If management judges that the downside to the current situation is less important to them then the advantages (if any) then you need to learn to live with it.
      Remember, it’s not your network, it’s theirs. And you are there for the sole purpose to keep THEIR network running.
      If you can not do that given the requirements by management it’s your job to let them know the downside to their choices.
      But if they are willing to accept these downsides, you basically have two options: accept it and go on like before, or find a job in a company that agrees with you.
      Again, though you should let management take advantage of your expertise, you’re not there to make the network run the way you think (and know) it should run, but to make it run the way they want.
      Again, if “the way they want” is stupid (and it is), tell them, tell them again, and deal with their decision.

    • #3205752

      business case indeed

      by jdiggs ·

      In reply to users with administrator privilege

      There is a lot of discussion about presenting a business case. I liked the file folder example. Here is another interesting presentation idea.

      Install a keystroke logger and screen capture program on a workstation where sensitive data is handled. For maximum shock value, repeat the same steps on a male executive’s PC who tends to work late at times. Present the captured data in a meeting with top executives, and explain to them that everyone running as administrator has the access necessary to compromise any computer on the network in this way.

      Of course you may want to have a resume and possibly even a lawyer ready to go into action before you do this.

    • #3205750

      Same Problem but Resolved

      by bchan ·

      In reply to users with administrator privilege

      Use a spreadsheet or helpdesk ticket system to validate your case. Record date, start and finish time, user, problem, cause, and problem. We had the same problem in the past. Thanks to the assistance of our Helpdesk group. Only a few people actually have admin rights after signing a local admin usage policy. Now, if they really screw up their boxes, their system are re-imaged. Afer while, some users get the message they screw their boxes up, IT wipes it clean. If they had some important work on the non-working system of their cause, too bad. The majority of the people who had local admin rights when we had Win9x, don’t have local admin rights on Win XP Pro. If management ask you why it is taking so long to do work, blame of the fact you’re always fighting fires caused by the end-users with local admin rights. If your management is good, they will see the problems and take care of it by giving IT the power to take the rights away. In the beginning we had a lot of end-users complain to us about this, and our reply was
      the computers don’t belong to you but the company. The company requires you to use them
      work with not anything non related to work.
      If you don’t like this, your manager and my manager can talk about this.

      Also, you should have an Computer and Network Acceptable Usage Policy in place.

      I hope this helps.

    • #3205748

      From the mouths of Microsoft

      by allan.claunch ·

      In reply to users with administrator privilege

      I sympathize with your plight. I currently am the sole admin for a
      group of companies and inherited a similar scenario. They
      previously never had an admin and the place was wide open in
      every way imaginable. After immediately plugging all the holes
      and batting down the hatches, I began systematically stripping
      everyone of their rights, and I do mean EVERYONE, from the
      owner on down. Unlike your situation, I was fortunate in that I
      encountered absolutely no resistance from management, it was
      the workers that were screaming for my head on a plate. But I
      was prepared with the ultimate sword… Microsoft’s own words.
      No matter how savvy the infidels are, their arguments fall apart
      upon being shown the verses straight from the “pope”.

      Armed with Microsoft’s edicts, I explained to them that this
      wasn’t a trust issue in regards to their activity and bore no
      reflection on them. I explained that my intentions were to
      protect them, not harm them. I agreed with them that this was a
      terrible deal that Microsoft had written the os in such a way that
      we had to this to be safe. But alas, it was so, and it must be
      done.

      You can begin by showing them straight from the Help file on
      their own machine:

      Click on “Start:Help and Support”
      Click on “System administration”
      Click on “Passwords and user accounts”
      Scroll down on the right column to:
      “Why you should not run your computer as an administrator”

      Why you should not run your computer as an administrator
      Running Windows?2000 or Windows?XP as an administrator
      makes the system vulnerable to Trojan horses and other security
      risks. The simple act of visiting an Internet site can be extremely
      damaging to the system. An unfamiliar Internet site may have
      Trojan horse code that can be downloaded to the system and
      executed. If you are logged on with administrator privileges, a
      Trojan horse could do things like reformat your hard drive,
      delete all your files, create a new user account with
      administrative access, and so on.

      ——————————————————
      Follow this up with showing them exerpts from Microsoft’s site:

      http://www.microsoft.com/germany/technet/prodtechnol/
      winxppro/reskit/c17621675.mspx

      Overview
      Every user and computer has a specific role and purpose in an
      organization. To accomplish their goals, each user and computer
      must be able to access certain resources and perform specific
      tasks. However, allowing users and computers unlimited access
      to system and network resources and functionality can
      compromise an organization?s security and stability. The access
      control infrastructure of Windows XP Professional functions to
      balance the resource access and system security needs of an
      organization.
      For example, Alice works in Accounting and needs to be able to
      view?but not create or modify?certain Personnel department
      files that are off-limits to other users in the organization. The
      Personnel department, which controls these files, uses access
      control to define which users can have Read-only access to
      Personnel files, which users can have Write and Modify access,
      and which users have no access to the Personnel share. Alice is
      given Read-only access to the Personnel files. Similarly, IT
      determines that prohibiting users such as Alice from making
      significant changes to their systems can reduce costs and
      improve security and supportability. IT makes Alice and other
      users members of the Users group, thus limiting their ability to
      install applications and reconfigure their operating system
      environments. In this way, Alice has the access to resources that
      she needs, the security of the organization is enforced, and the
      stability of the network is maintained
      ——————————————————

      My favorite site for collecting additional armaments is from one
      of Microsoft’s own security experts:

      http://blogs.msdn.com/aaron_margosis/archive/2005/04/18/
      TableOfContents.aspx

      Hope this helps.

      • #3282617

        You didn’t say it, but …

        by brokeneagle ·

        In reply to From the mouths of Microsoft

        Allan,

        You didn’t say it, but you you gave the justification for saying that “user education is the key.”

        Life is a lot easier when you take the time to educate your users (including their/your bosses).

    • #3205731

      Not basic at all, but should be

      by jj_itguy ·

      In reply to users with administrator privilege

      This problem is a plague and will not leave any tech forum alone. I can’t imagine anyone not ever experiencing it in their career. That may not make you feel better, but at least you know your not alone.

      Some things that have NOT worked well for me:
      1) Brute force restrictions (because I said so). Hey we were all young a bold (stupid) at some point…right!?!
      2) Giving in to user demands (their the boss).
      3) ignoring the situation

      What has worked:
      1) Educate from top down. Much easier to implement restrictions with top level mgmt on board
      2) find the users who “get it” and use them as promoters and examples. When people at their own level are singing praises of whatever is being pushed, it will be more widely accepted.
      3)Include all the ideas already presented here in other posts for the education portion (cost savings, less downtime, security, legal implications).

      I have found a few situations (traveling salesforce) where admin priveleges really help everyone do their job better. I just create a separate local account that can be used in “special cases”. I educate them on how/when to use it and make them sign off on a statement regarding policies and procedures for using the laptop, admin account, etc. This is working very well so far (users are happy, I don’t get midnight helpdesk calls to install a needed plugin). Oh, I don’t put these laptops on the domain either and I restrict their access to domain resources just in case.

      Hope this helps. Keep fighting the battle. I do agree, though, that if you cannot get top level support, you should find another job. No matter what, you will be the one made to look bad when the @#@# starts to roll and getting fired something you tried to fix would not be a good situation.

    • #3205712

      Start with a Small Group

      by systems magician ·

      In reply to users with administrator privilege

      Can’t win management, win the users. After all, you interface with them more.

      What I did was started rebuilding problematic machines first and locked out the user to “restricted user only”. Installed all the applications they will need or conceivably need in the future, setup for multiple network printers. Explained to the user(s) that we will try something different that will help stabilize their computers by locking the computer down for changes or installation by malicious intent like viruses, people who will try to steal personal data in the computer, etc. This part they understood very well. I also compromised that within the 15 work day period, I will give them top priority if there is any problems or concerns.

      Eventually, others who are tired of experiencing problems daily asked that their machines be rebuilt to make it stable. The Users are now willing to sacrifice administrator rights for a stable machine that they can do work.

      Explained to them too that IT understands no company user intends to sabotage any computer or their own, it is the things that happen in the background that they don’t know because of having administrator or power user rights that is creating this problem that is why lock down helps to stablize their computer.

      Good Luck

    • #3205673

      users with administrator privilege

      by edwards ·

      In reply to users with administrator privilege

      As a senior scientist who has been building and
      configuring my computers since 1980, I would have
      no part of your scheme to let only “techs” have
      administrator privilege. The PC monkey shop does
      a fine job of unpacking new PCs and laying down
      an initial image for the unwashed employee masses,
      but they are clueless when it comes to developing
      sophisticated software on a variety of platforms.
      As for “downtime”, the PC monkey shop has never
      experienced downtime or need for their services
      on my account. The elevated sense of self worth
      that comes from endless certification programs is
      laughable.

      • #3205615

        Valid, if slightly inelegant. . .

        by bkinsey1 ·

        In reply to users with administrator privilege

        There are definitely jobs that require full admin rights to the local system. Yours sounds like one of them, along with anyone who does software development, tools programming, etc.

        But it’s not a seniority issue – the CFO, VP’s and even the CEO don’t require that kind of access in most cases, where a “lowly” lab tech in R&D might. Nor is it simply based on computer knowledge in general; an employee who knows all about building PC’s, networking, software, whatever, doesn’t get local admin rights unless their job requires it – they probably present a greater security risk to the company than the ignornant “unwashed employee masses”. 🙂

        By the way, who gets such rights and who doesn’t isn’t (or shouldn’t be) strictly an IT decision. Requires input from line management as to job requirements from an angle that IT doesn’t see. . .

      • #3205603

        ad hominem attack

        by truthiness ·

        In reply to users with administrator privilege

        I don’t understand how your comment abut certification programs is germane to the discussion? You make the assumption that this is about administrator power-tripping, when in fact it is about what is best for the business (or organization).

        I would never lock down a machine in such a way to keep a user from doing their work. I will bend over backwards to make sure that people are in no way limited from getting their work done. But, it’s not a given that locking down a machine keeps people from doing their work. It may be in your particular case and in that case I would grant the necessary rights. But in my experience, with the type of users I work with, in the business I am in, restricting user rights does not in any way keep people from getting their work done.

        Most of my users don’t know how to minimize a window, and can’t figure out how to log in if their username isn’t already typed on the first line of the logon screen. These same people will install programs sent to them by anonymous e-mail without a second thought, with no consideration whatsoever of whether it is work-related. Giving these people full access to a windows computer attached to a network is like giving a toddler a loaded gun.

    • #3205654

      The impression of control

      by dennis_london ·

      In reply to users with administrator privilege

      I spent a lot of time reading all the replies and there is a ton of great information here. One thing I highly agree with is to not let on that you are restricting their access while you are actually restricting them.

      Here is an example of what I’m talking about:
      Many years ago (back in Windows 3.11 days) I became the IS Manager for a company which was in an identical situation. Back then you couldn’t really help it. But then Windows 95 came on the scene with a little more security options. And I do mean “little”. But there were enough options with user accounts that would allow me the ability to semi-lockdown accounts. The rest I would handle with Novell security and later Windows NT Server.

      First I went around to each of the department heads and asked them what areas of the network, servers, printers, programs, files, etc. I needed to restrict the rest of the company from but allow their people access to. I sat down with the manager or director of each division or group and created a security template with them. I presented it to them with the understanding of securing their group/dept people and work from everyone else?s mistakes or mishaps with viruses, wandering eyes and all that stuff. After working it out with the Dir/Mgr I informed him/her that I would go see what I can do and get back to them.

      Remember, the key here is that I worked with the dept head. So of course I went straight back to them with their proposed security plan and explained that in adding these security measures to prevent others from impacting them I would be unable to avoid impacting some of the access their dept may have been accustomed to having. I cautiously and thoroughly explained that their dept would function without issue as they have in the past and the limitations would be limited to things like not being able to freely install applications, programs, hardware, printers. I carefully explained that these things that I should do for them so we know it is done right with the new security model.

      After getting the dept head approval, I asked them to sign it. I explained why, I told them ?this way I had your written blessing if anyone comes complaining about not being able to install a new screensaver, game, or whatever on their workstation?. I was surprised to hear the dept head say the following and I quote (I?ll never forget this one) ?If anyone complains about something like that, I want to know since that tells me they aren?t doing their job?. You could have knocked me over with a feather. My plan worked. They bought the securing your dept from everyone else angle hook line and sinker.

      Now with today?s security capabilities you have to chose from, there is much more you can do but keep in mind you want them to feel like you are helping them?not limiting them.

      I hope this helps.

    • #3205592

      The best thing we ever did!

      by redt ·

      In reply to users with administrator privilege

      Ah yes the age old issue of saving our users from themselves. GPO’s are a wonderful thing.
      2 years ago i set out to upgraded all of our computer to XP. At the same time I Deployed the the use of GPO’s secure the computers once deployed in our environment. Prior to this upgrade we would spend countless hours fixing issues caused by the classic “I don’t know what happened” or ” I just clicked in that”. But you already are probably experiencing that.
      I presented my case. How many hours could be saved by not having to rebuild computers after the users tried to install whatever application, or other “Business use application” they thought they might want to use only to uninstall and try another. Kinda like the smily’s to make thier email cute. OK seriously.
      Remember we are protecting the computers from malicious activity not preventing people from doing their work. This argument seemed to go far.

      We submitted a list of known applications used in our company. This list was confirmed with each department manager. Any new applications would be tested in the lab first by an IT tech and confirmed by the employee to see if it meets their needs.

      We proposed to lock down to prevent writing to the registry and the windows directory. This will prevent any virus writing to those locations. (I have only had to rebuild one computer in 2 years and that was due to a virus on a lab computer that is not under the GPO) I have since blocked any computer that is not under GPO from accessing the internet.

      On a side note: This has also made our SOX compliance audit easier since we can prove control over the systems.

      Hope that helps getting you in the right direction with the powers to be.

    • #3205585

      More question than answers

      by greg.gray ·

      In reply to users with administrator privilege

      Storch

      What type of network do you run at this company? Is it routed or are you all under one subnet? how are these priveleges handled? Is the info you/they handle sensitive?

      What we have done is to make people admins of their ‘own’ computer and have the ability to log in any where on the network but not as admins but users who would have access to things like email and their own personal files. Just a suuggestion but instead of trying to ‘take it all away’, sell the idea of total control on a machine with total lan access on all. This make s for great or at least a much more secure network.

    • #3205574

      Hit em where it hurts

      by moriah.greenwood ·

      In reply to users with administrator privilege

      If there not willing to listen to reason you can always slow down repairs and when they ask whats going on just repliy I have to figure out what so-so did to repair it this is particuarly use full with servers (mail or file) people tend to take notice when it directly effects them.

    • #3205550

      run like hell!…

      by dmcnair420 ·

      In reply to users with administrator privilege

      it is apparent that your company does not handle important/critical information or what ever. 1. management may not be aware of government regulations (the red tape that is going get someone gummed up). quit that job and go work for social security where you are the only one with admin privilege and you will rest better tonight.

    • #3205524

      5 Things to Consider

      by pinner_blinn ·

      In reply to users with administrator privilege

      1) Find out what the accepted practice is for companies of similar size in the same industry. Tailor your expectations accordingly. You will not gain support from management and end-users if you are attempting to implement a policy that is excessively strict when compared with your industry peers.

      2) Conduct a survey of users to determine why they believe they must have admin privileges. Too often, full admin rights are granted as a quick and dirty fix to a problem. For example, an application that didn’t work correctly was “fixed” by granting full admin rights to a user instead of tweaking folder permissions. The important thing is you want to understand your users’ perceived needs and come up with an acceptable solution that doesn’t require the use of admin rights.

      3) Begin documenting incidents involving inappropriate or careless use of admin rights by end-users. Each incident should include a description of how the business was exposed to actual or potential harm by the user’s action. You can talk all you want about how unrestricted admin rights will cause problems, showing documented proof will make your case alot more compelling.

      4) Begin to build a consensus among key decision makers, especially your own boss. If the heavyweights don’t buy in to your plan, your going to find it difficult to change the status quo, especially if it means they will have to give up access rights, too. Depending on the size and complexity of your company and its IT environment, consider starting an IT Steering Committee or similar oversight group. This will give senior management shared responsibility for the success (and security) of IT operations. It will also insure that IT’s actions are consistent with the goals of the business.

      5) Set reasonable expectations and take a measured approach. Every organization of any size typically has a small percentage of users that are very tech-savvy. Unless you understand their applications and computing needs really well, and can guarantee continuity of service, don’t mess with them. Chances are, these are likely your most vocal opponents of tightening security and they may have a strong case for retaining their admin privs (for now). So, start by focusing on the 95% of users that probably won’t put up much of a fuss about losing their admin access. The message to everyone will be clear: network security is important and the old way of doing things is over.

    • #3205498

      Benefits outweigh annoyances

      by terry.floyd ·

      In reply to users with administrator privilege

      I completely understand your problem. When I first became involved in IT, we had to bring a number of previously independent offices into one domain. Most were not a big problem, but one office insisted that they wanted absolute control of their own computers because, of course, they knew what they were doing. Never mind that they were microbiologists and chemists, not computer experts, they demanded that they be made admins of their computers, or else they could not do their jobs.

      We then instituted a “3-strikes” policy. Users were allowed to be admins as long as they demonstrated competence with the privilege. The first time they reported a problem caused by something stupid they had done that had to be resolved by IT staff, they got one strike called against them (which was recorded in a master database so we could document every instance of their incompetence). The second time would result in a second strike. If they had a third strike, they would have their admin rights revoked.

      Within nine months, all employees in this office had normal user accounts and none of them were admins any longer. The problems caused by admin rights ranged from users installing illegal/pirated software to a laptop user who removed his computer from our domain and joined it to a different domain at a university affiliate to a user who made everyone in a different office admins of all the computers in their laboratory. One user couldn’t solve a driver problem, so rather than call us to help him, he simply re-installed Windows from scratch and wondered why he couldn’t add his re-built computer to the domain. Another user created a new local user account that he added into the Admins group as a sneaky backdoor; after his C:\ drive ran out of free space, he thought he’d be clever and delete all of those old profiles under C:\Documents and Settings, and he ended up deleting his own domain user account profile. Since he rarely saved work to the server, he lost all of his most important files. And, of course, he blamed IT for not giving him a computer with a large enough hard drive to store all of his important files locally.

      You can always cite “Best Practices” that have been used in the industry for decades that recommend all users log in with a standard user account and invoke admin/root access only when necessary. This is how our IT staff works. None of us log into our workstations with admin accounts, but simply use the Windows “Run As” option whenever we need to perform an action as an administrator. Having some Linux experience is definitely helpful, since this is the default behavior of just about every Linux distribution I’ve ever installed (with the exception of LinSpire).

    • #3282613

      Overlooked item in replies

      by tmsassoc ·

      In reply to users with administrator privilege

      Hi, While there are several good answers here one of the challenges that I see is that most of them overlook the fact that there is only one login id and password for the entire system. How do you track who did what? This would seem to me to make it very difficult to determine who has caused what problem on the network except for those times where you get a call from someone who admits they did something and now their computer won’t work.

      Since tracking of problems would seem to be a major challenge perhaps a variation on another idea posted here would be an option. What comes to mind is to do a little research on the system and see what you can find buried around the network with particular attention to games (internet and local) and inappropriate pictures. Make yourself a limited number of notes to help you track back to those places and then arrange a conference with the highest manager with whom you can get an audience. Then simply show them what you have found on the system, tell them that you can’t tell how it got there as there is only a common id, but that having this information on the system opens the door to legal issues (like sexual harrassment if you have found such pictures) and that as long as the companies computer usage policy remains wide open you can’t control such usage from happening in the future. If you are not at the top of the ladder when making the initial presentation the manager you are talking to will hopefully help you take your concerns further up the chain to the point that a decision to modify policy can actually be made.

      A presentation such as I am proposing while initially presentd by itself would work best as part of a larger presentation package as set forth in some of the other posts.

      These days it does seem that one of the biggest drivers of change is the issue of legal liability and the top of that list is sexual harrassment.

    • #3282550

      where do they find the time …

      by helpusobiwan ·

      In reply to users with administrator privilege

      I can’t imagine where your people are finding the time to lounge around the ‘net downloading and installing games, etc.. Apparently they have lots of spare time. At my most recent company, that was cured by downsizing on a regular basis until everyone was working at least 50 hours a week just to keep up much less find time to “play” with the computer. Perhaps your management team might find that solution palatable (unless they are the most notable offenders of course :-).

      My 2 cents? Procure and install “virus/spyware software of choice” Enterprise Edition so at least most of the “bugs” can be held at bay. I assume you do have control of the Internet connection and it is through a single point.

      Good luck.

    • #3282498

      show them the potential of what your users could do…

      by welshbilly ·

      In reply to users with administrator privilege

      Can you produce any logs from servers/applications and show the work you had to do as a result?

      Show them they could potentially remove a server from the network.

      Think about the apps you CEO’s use and how users can effect them, e.g. accessing emails/deleting emails. Deleting documents. Thier access to sensitive information e.g. payroll, appraisals.

    • #3282464

      Journal

      by informationfac ·

      In reply to users with administrator privilege

      For me I find that approval is often tied to timing.

      When I know that the suggestion that I am making is good, but that the decision-makers are not ready to make the “right” choice, I begin a journal to document time, problem, individuals involved, resolution.

      The last time I presented my journal was at a budget meeting. A certain software was denied that was wanted by a department head. I was able to show them that if they had gone with the package I had originally presented, we could have easily added the software to the budget.

      In my experiece the loss has to be personal if management is not totally intune with the principals of ROI.

      • #3284851

        Thats a good idea

        by ibanezoo ·

        In reply to Journal

        …DOCUMENTATION. We can speak geek to managers all day long and they won’t understand. A well written journal with specifics and dollar amounts usually can’t be denied.

    • #3282347

      Fed Regs

      by lando56 ·

      In reply to users with administrator privilege

      I didn’t catch what area of biz you are in, but many require… by law… certain restrictions to be considered ‘compliant’ or face some very serious consequences, including jail.

      I’m cetain you can figure out the rest of the ‘pro’ arguement 🙂

    • #3282330

      Lots of good responses, but…

      by tenagra71 ·

      In reply to users with administrator privilege

      Straight up, there are plenty of good responses – and some that we don’t talk about. I would maintain the professional integrity you have, choose your best options (Put on your “A” game) and proceed one last time down the path to a more secure environment. Then just sit back and do your best with the env. they insist you work in. That or bail and let them know why you’re leaving. If that is not an option, then just be prepared for the worst. If the worst happens, make sure the decision makers on this one feel the pain, but fix it fast. And make sure they know it could happen again 5 minutes after it is fixed because the source fo the issue is still there – admin users with one login. Of the 4 or 5 major downs we have had here the last 10 years, 2 were caused by “important people” doing things they thought were fine. Ivy League smart does not mean they know IT. Good luck.

    • #3284853

      Public company?

      by ibanezoo ·

      In reply to users with administrator privilege

      Dunno if you are in a public company or a company that is planning to go public, but I work in one and when we get audited for SOX they always want to a complete list of who has admin rights. I think they’d pass out if I handed them a list with all the employees on it…

      Having gone through this though, I find the hardest people to convince they don’t need admin rights are the management staff. Usually after they kill their computers a couple times or lose precious files they give in and leave the administration to the administrators. The “normal” employees are just handed a 10 page acceptable usage policy and then they almost beg to have their admin rights taken away…

      I thought SOX was going to be a major pain for our company but it is actually working out awesome for my department. Gives you muscle to do things like block admin rights, all I have to say is “its a SOX requirement and the government says I have to, sorry”

    • #3284784

      Your missing the point

      by n.bowness ·

      In reply to users with administrator privilege

      Forgive me for saying so but your missing the point…sure what you propose would make YOUR JOB EASIER, it is certainly more ‘secure’ but what about the client? Having pointed out the pitfalls of the current set up and its cost implications to the client you may now have to accept that the way you think they should do things is not the way they WANT to do them….your thinking too much like a tech and not enough about the clients wishes…Even the most rational well presented arguements relating to IT including those relating to security often fall on deaf ears (even if they cost the client money) if its not what the client wants to do…and after all if they are prepared to pay, whats the problem? If you keep pushing you may find they take their business elsewhere….non techie’s respect us but not if we are perceived as ‘pushy’…I remember being in a similar situation myself some years ago now, I kept on trying to ‘educate’ the person concerned but in exasperation they said ‘I hear what you say but this is how we want it if it f***s up we call you in and you fix it oK?!’ So I suggest you drop it and if and when things do go wrong remind them again, tactfully, you pointed this out some time ago maybe then they will do what you suggest, after all from their point of view ‘if it ain’t broke don’t fix it’ they may feel that the CHANGE is something they are not happy having to deal with, this is quite normal, people don’t embrace change willingly only when its forced on them by circumstance…it sometimes takes people several disasters to get into the habit of doing a regular backup for example.

    • #3284753

      Registry adjustments

      by timandlizh ·

      In reply to users with administrator privilege

      For whatever purpose these users need to be administrators can usually be accomplished on an individual-by-individual basis by setting people up as power users and adding/deleting priveleges and permissions via security settings in the registry. Your manager sounds like Joe-I-Don’t-Know-Crap-About-Your-Job-But-I-Can-Tell-You-how-To-Do-It-Manager,
      in which case he/she could be taking your ideas the wrong way. He/she may be hearing, “Only I can have the Power”, meaning you want to be in control. Most IT managers I have ever known were control freaks, and one way they feed this need is by taking away control of others. If you are doing that, it does nothing for him/her. Presentation is key to accomplishing what you want—make your boss look good to his/her boss—explain how this can be detrimental to this goal by giving users free reign. Hope this helps. I am somewhat of a control freak myself—takes one to know one.

      Tim

    • #3283212

      To be convincing from a 20 year IT person with an MBA

      by terry.orzechowski ·

      In reply to users with administrator privilege

      For most companies IT is a cost. You will have to estimate to the satisfaction of the business line people the cost of them waiting to be able to work because they do not have the correct permissions, vs the amount of time they will be down because they knocked themselves off the network.(Both of these situation are your fault) Unfortunately, I think that if you do this honestly you will find that it will be years before you hit break even on this one and have nearly the right permissions for everybody. Nobody cares how much money the project will save next year. They only care how much it will cost this year. I think you will find that the business line managers have already weighed these costs in thier head. Often you find that you are wrong when you put it on paper, and I could be wrong right now. Neither of us will know until there is a spreadsheet involved. On the other hand your reward for creating an ultimately flawless IT department will be losing your job, because technology is getting so easy now. LOL

    • #2618755

      Deep Freeze the PCs

      by jcolgate ·

      In reply to users with administrator privilege

      Try using a product called Deep Freeze sold by a Faronics. You can let them do whatever they want to the PCs just reboot and all the changes are gone. You can specify thaw space for them store data on the hard drive.

    • #2611521

      Wrong conception

      by acamilov ·

      In reply to users with administrator privilege

      Well, I agree with your company executives in the fact that the problem is not that the users must be limited their rights, they should be educated in the proper use of the computers. Nevertheless you should restrict some access to certain internet ports like the ones used for Peer to Peer networks, basically because those do slow down internet and could have some legal issues.

    • #2918230

      This has been here since August 2006?

      by wahorton ·

      In reply to users with administrator privilege

      Is the guy/company still around?

Viewing 42 reply threads