Not every network administration problem can be directly tied to a technical issue. Often the most difficult administrative situations stem from the volatility of human interaction where politics, personality, and ego can render even the best IT policy moot. When well-established IT security procedures conflict with the desires of upper-echelon management, it can often place the front-line network administrator between the proverbial rock and a hard place.
Balancing established IT policy and procedures with the wishes of executives who can impact your working environment can be exasperating. Looking for a viable solution to this dilemma, Hiro_Protagonist posted a question in the TechRepublic Discussion Center recently:
Hiro_Protagonist—I've got a wannabe who just hired on as a Senior Vice President. This guy used to work for the company like 2 years ago but got laid off. Now he's back and we've upgraded to 2000 from 98 and he insists on having admin rights to his W2K laptop because he needs to "control his own destiny on the computer" pfft...
My boss and I are sticking to the guns that got our support-to user-ratio up to 1/150. Has anyone run into this problem? Do you give admin rights to your executives if they ask for it?
A multitude of responses
As you can probably imagine, this provocative question received a multitude of responses. Again, predictably, the responses spanned the entire spectrum of potential solutions.
On one extreme you have jorge_mt who shares with us the story of a network administrator who granted admin rights to an executive and then hacked into the executive's notebook to illustrate the possible consequences the IT policy was designed to prevent. While that may have been effective in that case, common sense would suggest that such extreme tactics are not good business practices or good for long-term employment.
On the opposite end of the spectrum, you have dennis.doerr who wonders about an abuse of control and offers this suggestion:
When you have a request that falls either outside policy or somewhere on the edge, your job is to evaluate the validity and provide an informed recommendation to your supervisor. Don't assume that someone doesn't need something just because you think they are not as knowledgeable as yourself. Different functional divisions of a company will have different needs, i.e., executive, accounting, engineering, etc.
Building toward a consensus
While there was a distinct diversity of opinion and advice, several general themes can be gleaned from the discussion thread. The consensus advice to Hiro_Protagonist touched on these core ideas:
- IT policy
- Business needs
- Chain of command
- Get it in writing
- Local rights only
- No free support outside of IT policy
- Political considerations
What is the IT policy?
According to the original question, there was a policy in place that prohibited anyone from having admin rights. Several members correctly pointed out that such policies and procedures are established for very good reasons and should not be circumvented on an executive whim. For example, berniedixon notes that: Selectively applying policy is known as discrimination in a court room setting and can lead to wrongful termination law suits. Not applying policy at all is called implied consent in that same court room. Which problem does the owner want to potentially occur?
Assuming an organization has carefully crafted, adopted, and implemented an IT policy and assuming that policy has been communicated to all employees, there must be a compelling reason to make an exception to that policy. If a user can show a business case for why he should be allowed an exception to policy, then it is quite plausible that he be granted that privilege. After all, we are discussing policies and not absolutes.
One of the roles system administrators play is to provide support for end users in the organization. In the long run, denying services and playing the role of spoiler will only buy you trouble. But finding ways to give users at least some of what they ask for, especially when it is reasonable and business-supported, will make your working life less stressful.
Move the decision up the chain of command
The consensus advice in the discussion thread was clear; whether a business need is established or not, the decision on whether to override an IT policy and grant admin rights does not rest with the system administrator. As eebywater points out: The first thing is I point out what the policy is and that I do not have any authority to override or change the policy if I wish to stay employed, then point them to the person who authorized the policy. Funny how the execs don't want to waste their boss's time with minor things like this.
Get it in writing
There is a regrettable but very true reality that when something goes seriously wrong in a company someone will be blamed. No matter what is ultimately decided, the entire decision-making process should be documented. When it comes to IT policy exceptions, the decision is a corporate one and not any one individual's. Formal documentation will help ensure that everyone was aware of the risks associated with the decision and has accepted responsibility for the consequences.
Documentation of this kind is also important for the aftermath when something goes wrong, because, like it or not, the system administrator will be the one asked to fix it. With documentation in place, it will be much easier for the system administrator to explain unbudgeted time and expenses needed to fix problems caused by exceptions to IT policy.
Local rights only
In terms of practical advice, a recurring suggestion was to grant local rights for the laptop and not domain rights. AtraverzoRamos put it this way:
Just want to say from my experience as a LAN Administrator, I never had a problem with giving administrative rights to my end users on the local machine...once I get to know them. Local rights are the safe way to go about it. Best for laptop users. Please keep in mind once the user logs on to the network (Domain) his/her rights are limited; they will have to log on to the local profile on the local machine to make changes. By granting the above rights [you] will keep your network infrastructure safe and secure.
No free support outside of IT policy
Another recurring piece of practical advice concerns what happens if the executive's system is corrupted because the additional rights have been granted. There are many discussion posts suggesting system administrators charge the executive for support of an installation not specified by the IT policy. This idea was expressed best by samc-sysadmin:
Essentially, we told the execs that they were stepping outside the I.T. department's ability to support his system in a timely and properly budgeted manner and that he would have to accept full responsibility for that privilege. Many execs, when facing the situation in that manner, will back off into corporate compliance. A few that I recall decided to "go it alone" soon gave up after a few bad experiences with trying to "outsource" their corporately customized configurations to an unfamiliar consultant or repair shop.
Intangible political considerations
Throughout the entire discussion thread, the TechRepublic membership made reference to the political aspects of the situation. From any perspective you choose, the system administrator caught in this predicament must balance the needs of a strong IT policy with the equally compelling need to support end users in the organization. When executives use the weight of their positions to bypass policy they create awkward situations and stressful working environments, not only for the systems administrator, but for everyone.
Perhaps the best summary of the advice expressed along these lines comes from LeonardRivera:
Do what ever you can to give them what they want. Don't tell them it can't be done, tell them how it can be done. Document everything and get signatures where needed. Enforce policy and keep your supervisor(s) in the loop. If the poop is gonna fly, remember to duck.
That's the best advice I can offer.
Culture a determining factor
Hiro_Protagonist received many thoughtful suggestions for this serious and all-too-common problem, but many of the responses were skewed by the corporate culture experience of the poster. TechRepublic members working in large corporate environments tended to have strong feelings against allowing exceptions to established IT policy. Those discussion participants working in smaller companies tended to be much more flexible when it came to enforcing corporate policy.
While the basic principles outlined in the discussion thread and listed in this article certainly apply to any size company, in the end, corporate culture will likely be the overriding factor determining how a particular system administrator will react to the described situation. But no matter what is ultimately decided, a prudent administrator will take necessary steps to ensure proper documentation and to establish a paper trail for future reference.
Us vs. them
Reading through the discussion thread that led to this article, I was struck by the number of TechRepublic members who seemed to operate under the "us vs. them" mindset. As someone who has not held the position of system administrator, perhaps I am just being naïve, but that sort of adversarial attitude with regard to system administration seems like a recipe for disaster over the long haul.
Do most system administrators feel they are in an adversarial relationship with the rest of the organization? Is that the best way to operate or would a more inclusive and positive attitude be more effective over time?
Join me in the discussion area of this article where we can explore this question further.
Mark W. Kaelin has been writing and editing stories about the IT industry, gadgets, finance, accounting, and tech-life for more than 25 years. Most recently, he has been a regular contributor to BreakingModern.com, aNewDomain.net, and TechRepublic.