General discussion


admin rights for executives?

By Hiro_Protagonist ·
I've got a wanabe who just hired on as a Senior Vice President. This guy used to work for the company like 2 years ago but got laid off. Now he's back and we've upgraded to 2000 from 98 and he insists on having admin rights to his W2K laptop because he needs to "control his own destiny on the computer" pfft...
My boss and I are sticking to the guns that got our support to user ratio up to 1/150. Has anyone run into this problem? Do you give admin rights to your executives if they ask for it?

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

Maybe exec support

by gralfus In reply to admin rights for executiv ...

The way we handled execs was to provide them with their own polished support team. Most execs don't know their modem from a hole in the ground, so they appreciate having a well-dressed individual come and rescue them.

For those that have enough knowledge to make them dangerous, the same team can explain to them why the rules are there, etc. But you must have backing from on high or the execs will make life difficult. Most can at least understand that if they screw up their work PC, their work will suffer. Show them the danger versus benefit. Insist that if they want customization, that it should be done by them on their home PC (that is not attached to your network) or that you can provide installation of certain programs once they have been determined not to conflict with company work programs. It will come down to a power play - beware of the walls that will result as you can find yourself unemployed before you know it.

Lastly, image his PC in a working mode so that it can be restored quickly after he screws it up, because he will screw it up. And for kicks keep track of how many times this takes place and the cost involved.

Collapse -

thats good advice

by Hiro_Protagonist In reply to Maybe exec support

Thanks gralfus, Those are all very good points.

It will be interesting to see how this plays out. He claims that it will require more support because he won't be able to admin his own PC and will have to call me every time he needs something changed. Although, when I asked him for specifics he couldn't name anything besides installing his WiFi card for his home netowrk, which I agreed to install for him.

This may be a self-fulfilling prophecy. If he doesn't have the admin rights, he'll be more apt to want to install things and change settings and will make sure he is a giant pain in my butt so he can prove his point.

Personally I think he just doesn't like following rules set down by someone so much younger and lower on the food chain than him. This guy has a huge ego and would probably have a hard working tech like me canned just to get his way...

Collapse -

Installed a personal WIFI for him? Where's the policy on that?

by AFoshee In reply to thats good advice

We have similar problems at our company with managers at all levels wanting admin rights, and we just document all the problems that causes and eventually senior management gets tired of the cost and hassle involved and we get permission to lock down virtually every exception.

You've got to remember three things in corporate life...
1) For every rule you need to be ready for an exception.
2) Get everything in writing.
3) Without senior management approval you've got squat.

Our business isn't one prone to hackers nor security issues, but we are constantly vigilent to prevent problems. And WIFI networks are huge gaping holes of access for anyone with three brain cells and no morals to gain access to a network. We require all employees to disable or remove their WIFI cards while they're in the office, and we don't support any problems that are created with them (i.e. software conflicts, etc.).

I hope you didn't "step in it" by installing a personal piece of hardware in a corporate laptop - that would be a real big "NO-NO" where I am.

Good luck!

Collapse -

Very true

I think this makes sense, and it's what we do at my institution as well. With such a diverse group (executives, physicians, researchers, administrators, facilities, etc.) we have just about every type of client you can think of. We get administrative access release forms signed for anyone that wants access, no matter their executive level. Any damage they do (installed programs, added network cards, configuration changes, etc.) are fixed at a billable rate, rather than our usual inclusive break/fix service. Also, we require the altiris management client and norton antivirus in addition to a Win2k/XP domain login for network connection; this is a non-negotiable policy due to viruses and the need to update windows to patch vulnerabilities. Executive advocacy is a must-have, not only from the CIO, but from the rest of the senior management. As long as the CIO has the support of senior management, his/her policies will stick much better, and clients will soon realize that they must bear some responsibility. I like the idea of a dedicated team for "gold" support levels, although in this economy it's not often possible to do so. We have instituted "express service" for some activities that require payment, or a higher than usual payment, for services rendered outside our supported standards or for services to be rendered ahead of our standard SLA.

As for the manager that was lamenting his 150:1 machine/tech ratio...I'm up to about 500:1, so you've got a long way to go!!


Collapse -

Policy versus Procedures

by berniedixon In reply to thats good advice

First, policy is not signed by me the security officer as I'm not the owner (CE0, board of directors, etc.). The owner is the only one who can sign formal statement of rules that everyone in the company must follow. I write the procedures that implement both physical and logical controls based on policy and risk, which are both signed by the owner.

Second, this owner signed policy applies to everybody in the company, including executive VPs. Selectively applying policy is known as discrimination in a court room setting and can lead to wrongful termination law suits. Not applying policy at all is called implied consent in that same court room. Which problem does the owner want to potentially occur?

Third, what this all means is that the owner has to 100% support the policies he or she signed off on. If you are the one who signed policy (not procedures), then you have no hammer to apply to anyone in the company who violates that policy. If the owner doesn't really support policy, then you have no real hammer either, but the company could have some interesting days ahead in the business arena.

Lastly, if this exec has a business case for needing admin privileges, then let him present it. If approved by the owner, then give him security and admin training. Have him sign off that he is aware of his responsibilities as pertaining to company policies and procedures. Now he's responsible for any screw ups. See how he likes that :-)

Collapse -

Dont do it

by mdodd In reply to thats good advice

We had our VP of taxes try the same thing with his pc and his sonic wall at home. He kept messing up his system so much that I changed the passwords and he has to go through us for any changes to his pc/security system. The lesson learned by all was to stick to the policies because they were established for a good reason. Would he want you messing around in his office and change how he does things?

Collapse -

Control Issues

by dennis.doerr In reply to Dont do it

What I am hearing is a lot of control issues. What you have to remember is that IT is a necessary service center for a company, the key word being service. When you have a request that falls either outside policy or somewhere on the edge, your job is to evaluate the validity and provide an informed recomendation to your supervisor. Don't assume that someone doesn't need something just because you think they are not as knowledgeable as yourself. Different functional divisions of a company will have different needs i.e. executive, accounting, engineering, etc. I have seen companies that won't let engineers install thier own software, and on top of that it takes a formal request and at least 2 weeks to get the software installed. This is completely unacceptable. If you are going to deny a request you had better make sure you can properly support the needs of this individual.

One of the comments refered to the company network as thier office and "he wouldn't wnat you messing arround in his office?". Something to keep in mind is that the individuals PC has become the majority of his office, i.e. desktop, filling system, address and appointment book, etc. By limiting his ability to customize his computer you are in effect telling him what tools he can use on his desk.

I have Admin rights to my laptop and in the last 3 years I have installed hundreds of software packages, and none of these have created a problem that required IT intervension.

Collapse -


by fjeanbart In reply to Control Issues

Just assess the IT knowlege of people asking for admin privileges over their desktop.

1. Make sure that the administrative account used on the personal PC (laptop, workbook, whatever) IS NOT the same account used to log on the corporate network (!!!).

2. If they need some learning just to make sure they don't bug their machine every week, tell them to get the knowlege first, else show them how it could not only cost the company, but also that each "PC fail" is well documented for every employee (a person asking for such admin rights will think twice about it).

Collapse -

I agree 100%

by ranradio In reply to Control Issues

IT is a necessary service center for a company, the key word being service, instead of control

Collapse -

Total agreement

by mromero In reply to Dont do it

The Policies and Procedures are in place for a reason, there is no reason that I can see that warrants this type of access, all I can see is a lot of trouble not too far down the track.

This also leads me to ask the question why was he dismissed before?


Related Discussions

Related Forums