Not every network administration problem can be directly
tied to a technical issue. Often the most difficult administrative situations
stem from the volatility of human interaction where politics, personality, and
ego can render even the best IT policy moot. When well-established IT security procedures
conflict with the desires of upper-echelon management, it can often place the
front-line network administrator between the proverbial rock and a hard place.

Balancing established IT policy and procedures with the
wishes of executives who can impact your working environment can be
exasperating. Looking for a viable solution to this dilemma, Hiro_Protagonist posted a question in
the TechRepublic Discussion Center recently:

Hiro_Protagonist–I’ve got a wannabe who just hired on as a
Senior Vice President. This guy used to work for the company like 2 years ago
but got laid off. Now he’s back and we’ve upgraded to 2000 from 98 and he
insists on having admin rights to his W2K laptop because he needs to
“control his own destiny on the computer” pfft…

My boss and I are
sticking to the guns that got our support-to user-ratio up to 1/150. Has anyone
run into this problem? Do you give admin rights to your executives if they ask
for it?

A multitude of responses

As you can probably imagine, this provocative question received
a multitude of responses. Again, predictably, the responses spanned the entire
spectrum of potential solutions.

On one extreme you have jorge_mt
who shares with us the story of a network administrator who granted admin
rights to an executive and then hacked into the executive’s notebook to illustrate the possible
consequences the IT policy was designed to prevent. While that may have been
effective in that case, common sense would suggest that such extreme tactics
are not good business practices or good for long-term employment.

On the opposite end of the spectrum, you have dennis.doerr who wonders about an abuse
of control and offers this suggestion:

When you have a
request that falls either outside policy or somewhere on the edge, your job is
to evaluate the validity and provide an informed recommendation to your
supervisor. Don’t assume that someone doesn’t need something just because you
think they are not as knowledgeable as yourself. Different functional divisions
of a company will have different needs, i.e., executive, accounting,
engineering, etc.

Building toward a consensus

While there was a distinct diversity of opinion and advice,
several general themes can be gleaned from the discussion thread. The consensus
advice to Hiro_Protagonist touched
on these core ideas:

  • IT
    policy
  • Business
    needs
  • Chain
    of command
  • Get it
    in writing
  • Local
    rights only
  • No
    free support outside of IT policy
  • Political
    considerations

What is the IT policy?

According to the original question, there was a policy in
place that prohibited anyone from having admin rights. Several members
correctly pointed out that such policies and procedures are established for very good
reasons and should not be circumvented on an executive whim. For example, berniedixon notes that: Selectively
applying policy is known as discrimination in a court room setting and can lead
to wrongful termination law suits. Not applying policy at all is called implied
consent in that same court room. Which problem does the owner want to
potentially occur?

Business needs

Assuming an organization has carefully crafted, adopted, and
implemented an IT policy and assuming that policy has been communicated to all
employees, there must be a compelling reason to make an exception to that
policy. If a user can show a business case for why he should be allowed an
exception to policy, then it is quite plausible that he be granted that
privilege. After all, we are discussing policies and not absolutes.

One of the roles system administrators play is to provide
support for end users in the organization. In the long run, denying services
and playing the role of spoiler will only buy you trouble. But finding ways to
give users at least some of what they ask for, especially when it is reasonable
and business-supported, will make your working life less stressful.

Move the decision up the chain of command

The consensus advice in the discussion thread was clear;
whether a business need is established or not, the decision on whether to
override an IT policy and grant admin rights does not rest with the system
administrator. As eebywater points
out: The first thing is I point out what
the policy is and that I do not have any authority to override or change the
policy if I wish to stay employed, then point them to the person who authorized
the policy. Funny how the execs don’t want to waste their boss’s time with
minor things like this.

Get it in writing

There is a regrettable but very true reality that when
something goes seriously wrong in a company someone will be blamed. No matter
what is ultimately decided, the entire decision-making process should be
documented. When it comes to IT policy exceptions, the decision is a corporate
one and not any one individual’s. Formal documentation will help ensure that
everyone was aware of the risks associated with the decision and has accepted
responsibility for the consequences.

Documentation of this kind is also important for the
aftermath when something goes wrong, because, like it or not, the system
administrator will be the one asked to fix it. With documentation in place, it
will be much easier for the system administrator to explain unbudgeted time and
expenses needed to fix problems caused by exceptions to IT policy.

Local rights only

In terms of practical advice, a recurring suggestion was to
grant local rights for the laptop and not domain rights. AtraverzoRamos put it this way:

Just want to say from
my experience as a LAN Administrator, I never had a problem with giving administrative
rights to my end users on the local machine…once I get to know them. Local
rights are the safe way to go about it. Best for laptop users. Please keep in
mind once the user logs on to the network (Domain) his/her rights are limited;
they will have to log on to the local profile on the local machine to make
changes. By granting the above rights [you] will keep your network
infrastructure safe and secure.

No free support outside of IT policy

Another recurring piece of practical advice concerns what
happens if the executive’s system is corrupted because the additional rights
have been granted. There are many discussion posts suggesting system
administrators charge the executive for support of an installation not
specified by the IT policy. This idea was expressed best by samc-sysadmin:

Essentially, we told
the execs that they were stepping outside the I.T. department’s ability to
support his system in a timely and properly budgeted manner and that he would
have to accept full responsibility for that privilege. Many execs, when facing
the situation in that manner, will back off into corporate compliance. A few
that I recall decided to “go it alone” soon gave up after a few bad
experiences with trying to “outsource” their corporately customized
configurations to an unfamiliar consultant or repair shop.

Intangible political considerations

Throughout the entire discussion thread, the TechRepublic
membership made reference to the political aspects of the situation. From any
perspective you choose, the system administrator caught in this predicament
must balance the needs of a strong IT policy with the equally compelling need
to support end users in the organization. When executives use the weight of
their positions to bypass policy they create awkward situations and stressful
working environments, not only for the systems administrator, but for everyone.

Perhaps the best summary of the advice expressed along these
lines comes from LeonardRivera:

Do what ever you can
to give them what they want. Don’t tell them it can’t be done, tell them how it
can be done. Document everything and get signatures where needed. Enforce
policy and keep your supervisor(s) in the loop. If the poop is gonna fly, remember
to duck.

That’s the best advice
I can offer.

Culture a determining factor

Hiro_Protagonist
received many thoughtful suggestions for this serious and all-too-common
problem, but many of the responses were skewed by the corporate culture
experience of the poster. TechRepublic members working in large corporate
environments tended to have strong feelings against allowing exceptions to
established IT policy. Those discussion participants working in smaller
companies tended to be much more flexible when it came to enforcing corporate
policy.

While the basic principles outlined in the discussion thread
and listed in this article certainly apply to any size company, in the end,
corporate culture will likely be the overriding factor determining how a
particular system administrator will react to the described situation. But no
matter what is ultimately decided, a prudent administrator will take necessary
steps to ensure proper documentation and to establish a paper trail for future
reference.


Us vs. them

Reading through the discussion thread that led to this article, I was struck by the
number of TechRepublic members who seemed to operate under the “us vs.
them” mindset. As someone who has not held the position of system
administrator, perhaps I am just being naïve, but that sort of adversarial
attitude with regard to system administration seems like a recipe for disaster
over the long haul.

Do most system administrators feel they are in an
adversarial relationship with the rest of the organization? Is that the best
way to operate or would a more inclusive and positive attitude be more
effective over time?

Join me in the discussion area of this article where we can
explore this question further.